<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tmds.DBus - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tmds.dbus/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 31 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tmds.dbus/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tmds.DBus Vulnerability: Signal Spoofing and Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2024-01-tmds-dbus-spoofing-dos/</link><pubDate>Wed, 31 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tmds-dbus-spoofing-dos/</guid><description>Tmds.DBus and Tmds.DBus.Protocol libraries are vulnerable to signal spoofing, resource exhaustion, and denial-of-service attacks by malicious D-Bus peers, allowing impersonation, resource depletion via excessive file descriptors, and application crashes via malformed messages.</description><content:encoded><![CDATA[<p>The Tmds.DBus and Tmds.DBus.Protocol libraries, utilized in .NET applications for inter-process communication, are susceptible to attacks from malicious D-Bus peers within the same bus. This vulnerability allows an attacker to spoof signals by impersonating the owner of a well-known name, potentially leading to unauthorized actions or information disclosure. Additionally, attackers can exhaust system resources by flooding the target with messages containing an excessive number of Unix file descriptors, or trigger application crashes by transmitting malformed message bodies that cause unhandled exceptions. These vulnerabilities affect versions prior to 0.92.0 of Tmds.DBus and versions prior to 0.21.3 (or between 0.22.0 and 0.92.0) of Tmds.DBus.Protocol, posing a significant risk to applications relying on these libraries for secure and reliable communication. Defenders should prioritize upgrading to the patched versions to mitigate these risks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> A malicious actor gains access to the same D-Bus instance as the target application. This could be achieved through compromising a separate process on the same system.</li>
<li><strong>Name Enumeration:</strong> The attacker enumerates available well-known names on the D-Bus to identify potential targets for impersonation.</li>
<li><strong>Signal Spoofing:</strong> The attacker crafts a D-Bus message that spoofs a signal originating from the owner of a well-known name, taking advantage of the vulnerability in Tmds.DBus to bypass authentication.</li>
<li><strong>Resource Exhaustion:</strong> The attacker sends a series of D-Bus messages to the target application, each containing a large number of Unix file descriptors.</li>
<li><strong>File Descriptor Spillover:</strong> The target application attempts to process the messages, leading to an excessive consumption of file descriptors.</li>
<li><strong>Denial of Service (Resource):</strong> The exhaustion of file descriptors prevents the target application from handling legitimate requests, leading to a denial-of-service condition.</li>
<li><strong>Application Crash:</strong> Alternatively, the attacker sends a D-Bus message with a malformed message body specifically crafted to trigger an unhandled exception in the target application's SynchronizationContext.</li>
<li><strong>Denial of Service (Crash):</strong> The unhandled exception causes the target application to crash, resulting in a denial-of-service condition.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to a range of consequences, including unauthorized actions performed under the guise of a legitimate service, resource exhaustion causing system instability, and application crashes leading to service outages. The number of victims depends on the number of applications utilizing vulnerable versions of Tmds.DBus and Tmds.DBus.Protocol on a shared D-Bus instance. The impact is particularly severe in environments where D-Bus is used for critical inter-process communication, such as system services and desktop environments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Tmds.DBus to version 0.92.0 or later to address the signal spoofing, resource exhaustion, and denial-of-service vulnerabilities.</li>
<li>Upgrade Tmds.DBus.Protocol to version 0.21.3 or later or version 0.92.0 or later to address the signal spoofing, resource exhaustion, and denial-of-service vulnerabilities.</li>
<li>Monitor D-Bus traffic for suspicious messages containing an unusually large number of Unix file descriptors using a network monitoring tool with visibility into D-Bus protocols. Consider developing a custom rule for this.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>dbus</category><category>denial-of-service</category><category>spoofing</category></item></channel></rss>