CVE-2026-58015
NixOS Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-58015 is a path traversal vulnerability in GLib's D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism. The flaw allows a malicious D-Bus server to supply a crafted cookie_context parameter containing path traversal sequences, causing the client to read arbitrary files outside the intended ~/.dbus-keyrings/ directory and exfiltrate sensitive data. It affects GNOME GLib versions prior to 2.88.1, as well as Red Hat's glib2 and mingw-glib2 packages across multiple RHEL product lines. The vulnerability was reported on June 24, 2026, and publicly disclosed on June 30, 2026. It carries a CVSS v3.1 base score of 5.9 (Medium) (Github Advisory, Red Hat Bugzilla).

Detalhes técnicos

The root cause is improper input validation (path traversal, related to CWE-22) in glib/gio/gdbusauthmechanismsha1.c, specifically in the keyring_lookup_entry and mechanism_client_data_receive functions. The D-Bus specification explicitly prohibits characters such as /, \, . (period), spaces, and ASCII control characters in cookie context names, but GLib's client-side code accepts the cookie_context value verbatim from the server and uses it to construct a filesystem path via g_build_filename(). A malicious server can supply a value like ../../.target_file, causing the client to open an arbitrary file; the third space-separated token of the first matching line is then incorporated into a SHA1 hash computation and returned to the server as part of the authentication response, allowing the server to verify guessed file contents against the hash and exfiltrate data (Red Hat Bugzilla, Github Advisory).

Impacto

Successful exploitation allows an unauthenticated attacker controlling a malicious D-Bus server to read arbitrary files accessible to the connecting client process, with a high confidentiality impact and no integrity or availability impact. Sensitive files such as credentials, private keys, or configuration data could be exfiltrated by iteratively guessing file contents and verifying them against the SHA1 hash returned during authentication. The attack scope is limited to the client system's file permissions, but any file readable by the user running the D-Bus client is potentially at risk (Red Hat Bugzilla, Github Advisory).

Etapas de exploração

  1. Set up a malicious D-Bus server: The attacker configures a D-Bus server that advertises the DBUS_COOKIE_SHA1 SASL authentication mechanism and is reachable by the target client (e.g., via a network socket or by compromising a local service endpoint).
  2. Lure the client to connect: The attacker causes a GLib-based D-Bus client (running a vulnerable GLib version < 2.88.1) to connect to the malicious server, either through social engineering, DNS poisoning, or by replacing a legitimate D-Bus socket.
  3. Send a crafted cookie_context: During the SASL authentication handshake, the malicious server responds with a cookie_context value containing path traversal sequences (e.g., ../../etc/passwd or ../../home/user/.ssh/id_rsa) instead of a valid context name.
  4. Client reads the target file: The vulnerable GLib client constructs a filesystem path using g_build_filename() with the attacker-supplied cookie_context, opening the traversed file and extracting the third space-separated token from the first matching line.
  5. Exfiltrate data via SHA1 oracle: The client incorporates the extracted file content into a SHA1 hash and sends it back to the server. The attacker iteratively guesses file contents and verifies them against the received hash, progressively reconstructing sensitive file data (Red Hat Bugzilla, Github Advisory).

Indicadores de compromisso

  • Network: Unexpected outbound D-Bus connections (TCP or Unix socket) from client processes to unfamiliar or external endpoints; unusual D-Bus authentication handshakes observed in network traffic.
  • Logs: System or application logs showing D-Bus authentication attempts with malformed or unexpected cookie_context values; repeated failed or unusual SASL DBUS_COOKIE_SHA1 authentication sequences.
  • File System: Access timestamps updated on sensitive files (e.g., /etc/passwd, SSH private keys, credential files) by processes that should not normally read them; unexpected reads of files outside ~/.dbus-keyrings/ by D-Bus client processes.
  • Process: GLib-based applications opening files outside their expected working directories during D-Bus authentication; strace or audit logs showing open()/read() syscalls on sensitive paths from D-Bus client processes (Red Hat Bugzilla).

Mitigação e soluções alternativas

GNOME GLib version 2.88.1 addresses this vulnerability by validating the cookie_context parameter against the D-Bus specification's character restrictions. Red Hat has acknowledged affected glib2 and mingw-glib2 packages across multiple RHEL product lines; users should apply vendor-provided errata as they become available. As interim mitigations, restrict D-Bus server connections to trusted sources, implement network-level controls to prevent connections to untrusted D-Bus services, and monitor for suspicious D-Bus authentication patterns (Github Advisory, Red Hat Bugzilla).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado NixOS Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-14241CRITICAL9.8
  • NixOS logoNixOS
  • cpe:2.3:a:mozilla:firefox
NãoNãoJun 30, 2026
CVE-2026-58016CRITICAL9.1
  • NixOS logoNixOS
  • glib2
NãoSimJun 30, 2026
CVE-2026-58014HIGH8.6
  • NixOS logoNixOS
  • glib2
NãoSimJun 30, 2026
CVE-2026-58015HIGH7.5
  • NixOS logoNixOS
  • glib2-fam
NãoSimJun 30, 2026
CVE-2026-58374HIGH7.1
  • NixOS logoNixOS
  • hostapd
NãoNãoJun 30, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades