Re: dbus denial of service: CVE-2022-42010, -42011, -42012

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Thu, Oct 06, 2022 at 09:52:53AM +0100, Simon McVittie wrote:
> dbus is the reference implementation of D-Bus, a message bus for
> communication between applications and system services.
>
> Evgeny Vereshchagin discovered several ways in which an authenticated
> local attacker could cause a crash (denial of service) in
> dbus-daemon --system or a custom DBusServer. In uncommon configurations
> these could potentially be carried out by an authenticated remote attacker.
>
> Fixed versions:
>
> * dbus 1.14.x >= 1.14.4 (stable branch)
> * dbus 1.12.x >= 1.12.24 (old stable branch)
> * dbus >= 1.15.2 (development branch)
>
> Older dbus branches such as 1.10.x are EOL and will not receive new
> upstream releases.
>
> Vulnerable versions:
>
> * dbus 1.15.x before 1.15.2
> * dbus 1.14.x before 1.14.4
> * all versions before 1.12.24
>
> CVE-2022-42010 is believed to have been introduced during early dbus
> development (before 1.0) and the other two vulnerabilities mentioned
> here were regressions in 1.3.0.
>
> Vulnerability details:
>
> * An invalid array of fixed-length elements where the length of the array
>   is not a multiple of the length of the element would cause an assertion
>   failure in debug builds or an out-of-bounds read in production builds.
>   This was a regression in version 1.3.0.
>   (dbus#413, CVE-2022-42011, fixed by
>   https://gitlab.freedesktop.org/dbus/dbus/-/commit/079bbf16186e87fb0157adf8951f19864bc2ed69)
>
> * A syntactically invalid type signature with incorrectly nested parentheses
>   and curly brackets would cause an assertion failure in debug builds.
>   Similar messages could potentially result in a crash or incorrect message
>   processing in a production build, although we are not aware of a practical
>   example. (dbus#418, CVE-2022-42010, fixed by
>   https://gitlab.freedesktop.org/dbus/dbus/-/commit/9d07424e9011e3bbe535e83043d335f3093d2916)
>
> * A message in non-native endianness with out-of-band Unix file descriptors
>   would cause a use-after-free and possible memory corruption in production
>   builds, or an assertion failure in debug builds. This was a regression in
>   version 1.3.0. (dbus#417, CVE-2022-42012, fixed by
>   https://gitlab.freedesktop.org/dbus/dbus/-/commit/236f16e444e88a984cf12b09225e0f8efa6c5b44)

Is the memory corruption potentially exploitable for local privilege
escalation?

> Reimplementations of the D-Bus protocol such as systemd's sd-bus (used
> in dbus-broker and systemd) and GLib's GDBus (used in gvfs and ibus)
> do not share dbus' code for message parsing and validation, so they are
> probably unaffected by these issues.

Are clients using libdbus vulnerable if they are behind dbus-broker?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: