Ddos 
The SUSE Security Team has released a detailed report exposing multiple vulnerabilities in Foomuuri, a popular nftables-based firewall manager for Linux, that left the firewall’s management interface wide open to local attackers, allowing unauthorized users to manipulate network zones and potentially destabilize system security.
The discovery occurred in early December when the team was evaluating Foomuuri for inclusion in the openSUSE Tumbleweed distribution. What they found was a lack of basic security controls in the tool’s D-Bus service.
The most glaring issue, tracked as CVE-2025-67603, was a complete absence of client authorization. Foomuuri’s D-Bus service, which runs with full root privileges, failed to implement authentication checks like Polkit, meaning it would accept commands from anyone on the system.
“During the review we quickly noticed a lack of client authorization and input validation in the implementation of Foomuuri’s D-Bus service,” the report states.
The implications were immediate and concerning. Because no checks were in place, “any local user, including low privilege service user accounts or even nobody, can invoke the D-Bus interface and change the firewall configuration”. While attackers couldn’t rewrite the entire rule set, they could reassign network interfaces to different zones, effectively weakening the firewall or causing a Denial-of-Service.
The second major flaw, CVE-2025-67858, involved how the software handled user input. The investigation revealed that the D-Bus methods did not scrutinize parameters, allowing “arbitrary strings” to be passed as interface names.
This lack of validation opened the door to more sophisticated attacks. “One result from this can be log spoofing, since the interface name is passed to logging functions unmodified,” the researchers noted.
More critically, a skilled attacker could potentially manipulate the underlying configuration. “A local attacker could attempt to largely control the JSON configuration passed to nftables, by skillfully embedding additional JSON configuration in the interface parameter,” potentially leading to a loss of integrity for the firewall’s rules.
Following a coordinated disclosure process, the upstream developers moved quickly to plug the holes. Foomuuri version 0.31, released on January 7, 2026, addresses all identified issues.
The update introduces robust Polkit authentication, requiring administrative authorization to change firewall settings. It also adds strict verification for input parameters and applies hardening measures like ProtectSystem=full to the systemd services to prevent privilege escalation.
Users running Foomuuri are strongly advised to upgrade to version 0.31 immediately to secure their systems against these local threats.
Related Posts:
- Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222): A Critical Design Flaw Exposed
- Linux Privilege Escalation (CVE-2025-6019): Root Access Via udisksd & libblockdev, PoC Available
- CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon
- CVE-2024-5148: GNOME Remote Desktop Vulnerability Exposes Sensitive Information
Donate