CVE-2023-34969
First published: Wed Jun 07 2023(Updated: )
An assertion failure in dbus-daemon when a privileged Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or similar) is active, and a message from the bus driver cannot be delivered to a client connection due to <deny> rules or outgoing message quota. This is a denial of service if triggered maliciously by a local attacker In other words, if a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances. Vulnerable versions: 1.15.x before 1.15.6 1.14.x before 1.14.8 1.12.x before 1.12.28 most end-of-life versions since 1.9.x Fixed versions: all since 1.15.6 1.14.x since 1.14.8 1.12.x since 1.12.28 Not vulnerable: end-of-life versions 1.8.x or older do not contain the affected code path. <a href="https://gitlab.freedesktop.org/dbus/dbus/-/issues/457">https://gitlab.freedesktop.org/dbus/dbus/-/issues/457</a> <a href="https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1908636.html">https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1908636.html</a>
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Freedesktop Dbus | >=1.12.0<1.12.28 | |
| Freedesktop Dbus | >=1.14.0<1.14.8 | |
| Freedesktop Dbus | >=1.15.0<1.15.6 | |
| Fedoraproject Fedora | =38 | |
| Debian Debian Linux | =10.0 | |
| D-bus Project D-bus | >=1.12.0<1.12.28 | |
| D-bus Project D-bus | >=1.14.0<1.14.8 | |
| D-bus Project D-bus | >=1.15.0<1.15.6 | |
| redhat/dbus | <1.15.6 | 1.15.6 |
| redhat/dbus | <1.14.8 | 1.14.8 |
| redhat/dbus | <1.12.28 | 1.12.28 |
| debian/dbus | <=1.12.20-0+deb10u1<=1.12.24-0+deb11u1 | 1.12.28-0+deb10u1 1.12.28-0+deb11u1 1.14.10-1~deb12u1 1.14.10-4 |
| ubuntu/dbus | <1.10.6-1ubuntu3.6+ | 1.10.6-1ubuntu3.6+ |
| ubuntu/dbus | <1.12.28<1.14.8<1.15.6 | 1.12.28 1.14.8 1.15.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.freedesktop.org/dbus/dbus/-/issues/457
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html
- https://security.netapp.com/advisory/ntap-20231208-0007/
- https://launchpad.net/bugs/cve/CVE-2023-34969
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/
- https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1908636.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2213396
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2213397
- https://access.redhat.com/errata/RHSA-2023:4498
- https://access.redhat.com/errata/RHSA-2023:4569
- https://access.redhat.com/errata/RHSA-2023:5193
- https://bugzilla.redhat.com/show_bug.cgi?id=2213166
- https://security-tracker.debian.org/tracker/CVE-2023-34969
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34969
- https://ubuntu.com/security/notices/USN-6372-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-34969
- https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/408
- https://ubuntu.com/security/CVE-2023-34969
Frequently Asked Questions
What is CVE-2023-34969?
CVE-2023-34969 is a vulnerability in D-Bus that allows unprivileged users to crash dbus-daemon when a privileged user with control over the dbus-daemon is monitoring message bus traffic.
How does CVE-2023-34969 affect D-Bus?
CVE-2023-34969 affects D-Bus versions prior to 1.15.6, 1.14.8, and 1.12.28 on Red Hat systems, and versions prior to 1.10.6-1ubuntu3.6+ on Ubuntu systems.
What is the severity of CVE-2023-34969?
CVE-2023-34969 has a severity rating of medium.
How can I fix CVE-2023-34969?
To fix CVE-2023-34969, update D-Bus to version 1.15.6 or the recommended versions specific to your operating system.
Where can I find more information about CVE-2023-34969?
You can find more information about CVE-2023-34969 on the MITRE CVE website, Ubuntu Security Notices, and the NIST NVD website.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/weakness
- agent/references
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-34969
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/d-bus project
- canonical/d-bus project d-bus
- version/d-bus project d-bus/1.12.0
- version/d-bus project d-bus/1.14.0
- version/d-bus project d-bus/1.15.0
- vendor/freedesktop
- canonical/freedesktop dbus
- version/freedesktop dbus/1.12.0
- version/freedesktop dbus/1.14.0
- version/freedesktop dbus/1.15.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/ubuntu
- package-manager/debian
- package-manager/redhat