NewStart CGSL MAIN 6.02 : dbus Multiple Vulnerabilities (NS-SA-2022-0093)

medium Nessus Plugin ID 167488

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has dbus packages installed that are affected by multiple vulnerabilities:

- Unspecified vulnerability in the match_rule_equal function in bus/signals.c in D-Bus before 1.0.2 allows local applications to remove match rules for other applications and cause a denial of service (lost process messages). (CVE-2006-6107)

- dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. (CVE-2008-0595)

- The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. (CVE-2009-1189)

- libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus.
(CVE-2012-3524)

- The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message. (CVE-2013-2168)

- The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. (CVE-2014-3477)

- dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. (CVE-2014-3533)

- Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.
(CVE-2014-3635)

- D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call. (CVE-2014-3636)

- D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor. (CVE-2014-3637)

- The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
(CVE-2014-3638)

- The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections. (CVE-2014-3639)

- D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1. (CVE-2014-7824)

- D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds. (CVE-2015-0245)

- An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus- daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. (CVE-2020-12049)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL dbus packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2022-0093

http://security.gd-linux.com/info/CVE-2006-6107

http://security.gd-linux.com/info/CVE-2008-0595

http://security.gd-linux.com/info/CVE-2009-1189

http://security.gd-linux.com/info/CVE-2012-3524

http://security.gd-linux.com/info/CVE-2013-2168

http://security.gd-linux.com/info/CVE-2014-3477

http://security.gd-linux.com/info/CVE-2014-3533

http://security.gd-linux.com/info/CVE-2014-3635

http://security.gd-linux.com/info/CVE-2014-3636

http://security.gd-linux.com/info/CVE-2014-3637

http://security.gd-linux.com/info/CVE-2014-3638

http://security.gd-linux.com/info/CVE-2014-3639

http://security.gd-linux.com/info/CVE-2014-7824

http://security.gd-linux.com/info/CVE-2015-0245

http://security.gd-linux.com/info/CVE-2020-12049

Plugin Details

Severity: Medium

ID: 167488

File Name: newstart_cgsl_NS-SA-2022-0093_dbus.nasl

Version: 1.3

Type: local

Published: 11/15/2022

Updated: 11/16/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 6

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-3524

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5.3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2020-12049

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:dbus, p-cpe:/a:zte:cgsl_main:dbus-common, p-cpe:/a:zte:cgsl_main:dbus-daemon, p-cpe:/a:zte:cgsl_main:dbus-devel, p-cpe:/a:zte:cgsl_main:dbus-libs, p-cpe:/a:zte:cgsl_main:dbus-tools, p-cpe:/a:zte:cgsl_main:dbus-x11, cpe:/o:zte:cgsl_main:6

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/9/2022

Vulnerability Publication Date: 12/13/2006

Exploitable With

Core Impact

Reference Information

CVE: CVE-2006-6107, CVE-2008-0595, CVE-2009-1189, CVE-2012-3524, CVE-2013-2168, CVE-2014-3477, CVE-2014-3533, CVE-2014-3635, CVE-2014-3636, CVE-2014-3637, CVE-2014-3638, CVE-2014-3639, CVE-2014-7824, CVE-2015-0245, CVE-2020-12049