CVE-2024-1929 & 1930: Protect Your Linux System from Root Exploits and DoS Attacks

A recent security review of the DNF package manager, a core component of many Linux distributions, uncovered two critical vulnerabilities that could allow attackers to gain complete control of affected systems. These vulnerabilities, found in the dnf5daemon-server component, require immediate patching to protect your systems from potential attacks. Both two significant vulnerabilities were discovered by security researcher Matthias Gerstner.

The dnf5daemon-server serves as a bridge for D-Bus interfaces to interact with the system’s package manager, dnf5. This server runs with root privileges and can be auto-started via the D-Bus system bus, making it a prime target for exploitation. Gerstner’s review of version 5.1.9 unveiled critical vulnerabilities that could potentially allow unprivileged users to escalate their privileges to root.

Image: Fedora

The design of the dnf5daemon-server’s D-Bus interface plays a pivotal role in this. By enabling clients to create new sessions and subsequently manage package configurations, it inadvertently opens the door to unauthorized access and manipulation. While some operations are safeguarded by Polkit authentication, the session creation process itself presents a glaring vulnerability.

CVE-2024-1929: Local Root Exploit via Configuration Dictionary

The first vulnerability, CVE-2024-1929, arises from the ability to influence the libdnf5 configuration via a key/value map passed to the open_session method. Without adequate sanity checking, an attacker can specify paths to malicious plugins, leading to arbitrary code execution with root privileges. Gerstner’s proof of concept illustrates the simplicity of exploiting this vulnerability, emphasizing the need for immediate remediation.

In response, a whitelist of configuration parameters has been implemented, limiting the ability of unprivileged users to override sensitive settings. This measure, encapsulated in upstream commit e51bf2f0d, significantly reduces the attack surface of the dnf5daemon-server.

CVE-2024-1930: Potential Denial-of-Service Attacks

The second vulnerability, CVE-2024-1930, exploits the lack of limits on the number of sessions an unprivileged user can create. By spawning thousands of sessions, an attacker can deplete system resources, rendering the dnf5daemon-server unresponsive or even causing it to crash.

To mitigate this issue, a cap has been placed on the number of sessions each user can initiate, with a maximum of three sessions per user. While this addresses the immediate concern of resource exhaustion, the underlying issue of inefficient thread management remains unaddressed.