CVE-2024-2746

Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question.  On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.
Configurations

No configuration.

History

21 Nov 2024, 09:10

Type Values Removed Values Added
References () https://www.openwall.com/lists/oss-security/2024/04/03/5 - () https://www.openwall.com/lists/oss-security/2024/04/03/5 -

12 Jul 2024, 19:15

Type Values Removed Values Added
Summary (en) Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question.  On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.  (en) Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question.  On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.

08 May 2024, 13:15

Type Values Removed Values Added
Summary
  • (es) Solución incompleta para CVE-2024-1929 El problema con CVE-2024-1929 era que el daemon dnf5 D-Bus aceptaba parámetros de configuración arbitrarios de usuarios sin privilegios, lo que permitía un exploit de raíz local engañando al daemon para que cargara un "complemento" controlado por el usuario. Todo esto sucedió incluso antes de que se iniciara la autenticación Polkit. El código de la librería dnf5 no comprueba si los usuarios no root controlan el directorio en cuestión. Por un lado, esto plantea un vector de ataque de denegación de servicio al hacer que el daemon opere en un archivo de bloqueo (por ejemplo, un archivo especial llamado FIFO) o un archivo muy grande que causa una situación de falta de memoria (por ejemplo, /dev/zero). Por otro lado, esto se puede utilizar para permitir que el daemon procese archivos privilegiados como /etc/shadow. El archivo en cuestión se analiza como un archivo INI. Los diagnósticos de errores resultantes del análisis de archivos privilegiados podrían causar fugas de información, si estos diagnósticos son accesibles para usuarios sin privilegios. Sin embargo, en el caso de libdnf5, no debería existir ningún diagnóstico accesible para el usuario. Además, un atacante local puede colocar un archivo de configuración de repositorio válido en este directorio. Este archivo de configuración permite especificar una gran cantidad de opciones de configuración adicionales. Esto hace que el atacante pueda acceder a varias rutas de código adicionales en libdnf5.

08 May 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-08 02:15

Updated : 2024-11-21 09:10


NVD link : CVE-2024-2746

Mitre link : CVE-2024-2746

CVE.ORG link : CVE-2024-2746


JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation