Table of Contents
This flaw is mitigated by the fact that by default, the well-known system dbus-daemon (since 2003) and the well-known session dbus-daemon (in stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 at an early stage, before manipulating cookies.
Red Hat Enterprise Linux 6 is affected by this flaw, which can be leveraged to achieve privilege escalation via upstart. This issue has been rated as having important impact for Red Hat Enterprise Linux 6.
Red Hat Enterprise Linux 7 and 8, both ship dbus >= 1.10 and therefore are affected by this flaw only when system or session dbus-daemons are used under non-standard configurations or by third party users of DBusServer. Red Hat Enterprise Linux 7 and 8 does not ship any affected DBusServer cosumer. However third party applications may be affected.
CVSS v3 metrics
|CVSS3 Base Score||7|
|CVSS3 Base Metrics||CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H|
Red Hat Security Errata
|Red Hat Enterprise Linux 6 (dbus)||RHSA-2019:1726||2019-07-10|
Affected Packages State
|Red Hat Enterprise Linux 8||dbus||Affected|
|Red Hat Enterprise Linux 7||dbus||Affected|
|Red Hat Enterprise Linux 5||dbus||Out of support scope|
AcknowledgementsRed Hat would like to thank the D-Bus project for reporting this issue. Upstream acknowledges Joe Vennix (Apple Information Security) as the original reporter.
CVE description copyright © 2017, The MITRE Corporation