7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
AI Score
Confidence
High
4.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
0.0005 Low
EPSS
Percentile
16.2%
Issue Overview:
A flaw was found in dbus. The implementation of DBUS_COOKIE_SHA1 is susceptible to a symbolic link attack. A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to read and write in unintended locations resulting in an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2019-12749)
An uncontrolled resource consumption vulnerability was discovered in D-Bus. The DBusServer leaks file descriptors when a message exceeds the per-message file descriptor limit. This flaw allows a local attacker with access to the D-Bus system bus or another system service’s private AF_UNIX socket, to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. As a result, the system may become unusable for other users, and some services may stop working. The highest threat from this vulnerability is to system availability. (CVE-2020-12049)
Affected Packages:
dbus
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update dbus to update your system.
New Packages:
aarch64:
dbus-1.10.24-7.amzn2.0.2.aarch64
dbus-libs-1.10.24-7.amzn2.0.2.aarch64
dbus-devel-1.10.24-7.amzn2.0.2.aarch64
dbus-tests-1.10.24-7.amzn2.0.2.aarch64
dbus-x11-1.10.24-7.amzn2.0.2.aarch64
dbus-debuginfo-1.10.24-7.amzn2.0.2.aarch64
i686:
dbus-1.10.24-7.amzn2.0.2.i686
dbus-libs-1.10.24-7.amzn2.0.2.i686
dbus-devel-1.10.24-7.amzn2.0.2.i686
dbus-tests-1.10.24-7.amzn2.0.2.i686
dbus-x11-1.10.24-7.amzn2.0.2.i686
dbus-debuginfo-1.10.24-7.amzn2.0.2.i686
noarch:
dbus-doc-1.10.24-7.amzn2.0.2.noarch
src:
dbus-1.10.24-7.amzn2.0.2.src
x86_64:
dbus-1.10.24-7.amzn2.0.2.x86_64
dbus-libs-1.10.24-7.amzn2.0.2.x86_64
dbus-devel-1.10.24-7.amzn2.0.2.x86_64
dbus-tests-1.10.24-7.amzn2.0.2.x86_64
dbus-x11-1.10.24-7.amzn2.0.2.x86_64
dbus-debuginfo-1.10.24-7.amzn2.0.2.x86_64
Red Hat: CVE-2019-12749, CVE-2020-12049
Mitre: CVE-2019-12749, CVE-2020-12049
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | dbus | < 1.10.24-7.amzn2.0.2 | dbus-1.10.24-7.amzn2.0.2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dbus-libs | < 1.10.24-7.amzn2.0.2 | dbus-libs-1.10.24-7.amzn2.0.2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dbus-devel | < 1.10.24-7.amzn2.0.2 | dbus-devel-1.10.24-7.amzn2.0.2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dbus-tests | < 1.10.24-7.amzn2.0.2 | dbus-tests-1.10.24-7.amzn2.0.2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dbus-x11 | < 1.10.24-7.amzn2.0.2 | dbus-x11-1.10.24-7.amzn2.0.2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dbus-debuginfo | < 1.10.24-7.amzn2.0.2 | dbus-debuginfo-1.10.24-7.amzn2.0.2.aarch64.rpm |
Amazon Linux | 2 | i686 | dbus | < 1.10.24-7.amzn2.0.2 | dbus-1.10.24-7.amzn2.0.2.i686.rpm |
Amazon Linux | 2 | i686 | dbus-libs | < 1.10.24-7.amzn2.0.2 | dbus-libs-1.10.24-7.amzn2.0.2.i686.rpm |
Amazon Linux | 2 | i686 | dbus-devel | < 1.10.24-7.amzn2.0.2 | dbus-devel-1.10.24-7.amzn2.0.2.i686.rpm |
Amazon Linux | 2 | i686 | dbus-tests | < 1.10.24-7.amzn2.0.2 | dbus-tests-1.10.24-7.amzn2.0.2.i686.rpm |
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
AI Score
Confidence
High
4.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
0.0005 Low
EPSS
Percentile
16.2%