github - ghsa-rpc3-mw2p-39mj

GHSA-RPC3-MW2P-39MJ

Vulnerability from github – Published: 2024-05-08 03:30 – Updated: 2024-07-12 21:31

Details

Incomplete fix for CVE-2024-1929

The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started.

The dnf5 library code does not check whether non-root users control the directory in question.

On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.

Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-2746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-08T02:15:09Z",
    "severity": "HIGH"
  },
  "details": "Incomplete fix for CVE-2024-1929\n\nThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\nlocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\n\nThe dnf5 library code does not check whether non-root users control the directory in question.\u00a0\n\nOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\nthat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\nThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\nare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\n\nAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\na plethora of additional configuration options. This makes various\u00a0additional code paths in libdnf5 accessible to the attacker.\u00a0\n",
  "id": "GHSA-rpc3-mw2p-39mj",
  "modified": "2024-07-12T21:31:16Z",
  "published": "2024-05-08T03:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2746"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-2746 (GCVE-0-2024-2746)

Vulnerability from cvelistv5 – Published: 2024-05-08 01:55 – Updated: 2024-08-12 18:29

Summary

Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

redhat

References

URL

Tags

https://www.openwall.com/lists/oss-security/2024/…

Impacted products

	Vendor	Product	Version
	Fedora	dnf5daemon-server	Affected: 5.1.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:25:41.295Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:fedora:dnf5daemon-server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dnf5daemon-server",
            "vendor": "fedora",
            "versions": [
              {
                "lessThan": "5.1.17",
                "status": "affected",
                "version": "5.1.16",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2746",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-08T14:43:25.427605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T18:29:59.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "dnf5daemon-server",
          "vendor": "Fedora",
          "versions": [
            {
              "status": "affected",
              "version": "5.1.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incomplete fix for CVE-2024-1929\u003cbr\u003e\u003cbr\u003eThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\u003cbr\u003elocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\u003cbr\u003e\u003cbr\u003eThe dnf5 library code does not check whether non-root users control the directory in question.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\u003cbr\u003ethat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\u003cbr\u003eThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\u003cbr\u003eare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\u003cbr\u003e\u003cbr\u003eAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\u003cbr\u003ea plethora of additional configuration options. This makes various\u0026nbsp;additional code paths in libdnf5 accessible to the attacker."
            }
          ],
          "value": "Incomplete fix for CVE-2024-1929\n\nThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\nlocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\n\nThe dnf5 library code does not check whether non-root users control the directory in question.\u00a0\n\nOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\nthat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\nThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\nare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\n\nAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\na plethora of additional configuration options. This makes various\u00a0additional code paths in libdnf5 accessible to the attacker."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-12T19:00:40.624Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Incomplete fix for CVE-2024-1929",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-2746",
    "datePublished": "2024-05-08T01:55:10.092Z",
    "dateReserved": "2024-03-20T16:02:36.835Z",
    "dateUpdated": "2024-08-12T18:29:59.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-RPC3-MW2P-39MJ

CVE-2024-2746 (GCVE-0-2024-2746)

Tags

Sightings

Nomenclature