SB2019061717 - Improper Authentication in dbus (Alpine package)
Published: June 17, 2019
Security Bulletin ID
SB2019061717
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authentication (CVE-ID: CVE-2019-12749)
The vulnerability allows a an attacker to bypass authentication process.
The vulnerability exists due to an error when handling symlinks within the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. A malicious client with access to to its own home directory can manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write into unintended locations.
Successful exploitation of the vulnerability may allow an attacker to bypass DBUS_COOKIE_SHA1 authentication mechanis.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=2e63f747fe1e60480c416caab757d16e9c4765e7
- https://git.alpinelinux.org/aports/commit/?id=b1f51586c78b6c75de117e134bef3777d3aad447
- https://git.alpinelinux.org/aports/commit/?id=9b4acf3c4bd6232498f253edb91cac9d933cede4
- https://git.alpinelinux.org/aports/commit/?id=4419df124ef7246a020c4a10fb36e08e7f06d350
- https://git.alpinelinux.org/aports/commit/?id=e2c5069ec56036e6d14eb982377cd2a39d1358e7
- https://git.alpinelinux.org/aports/commit/?id=4197c781d3fe1b09de37fa74c222bad3183c187f
- https://git.alpinelinux.org/aports/commit/?id=7bcd4b5fb804992725b55d128d1c8f3dd87cb5c4
- https://git.alpinelinux.org/aports/commit/?id=f85fc6d35df663ffa71b00201dcbde8cb5727322
- https://git.alpinelinux.org/aports/commit/?id=fa0e230be9fd2e79919214ecab466f5149cab5fe