fkie_cve-2025-27512
Vulnerability from fkie_nvd
Published
2025-03-17 15:15
Modified
2025-03-17 15:15
Severity ?
Summary
Zincati is an auto-update agent for Fedora CoreOS hosts. Zincati ships a polkit rule which allows the `zincati` system user to use the actions `org.projectatomic.rpmostree1.deploy` to deploy updates to the system and `org.projectatomic.rpmostree1.finalize-deployment` to reboot the system into the deployed update. Since Zincati v0.0.24, this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the `zincati` system user. In practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload. This primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket. The logic error is fixed in Zincati v0.0.30. A workaround is to manually add a following polkit rule, instructions for which are available in the GitHub Security Advisory.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zincati is an auto-update agent for Fedora CoreOS hosts. Zincati ships a polkit rule which allows the `zincati` system user to use the actions `org.projectatomic.rpmostree1.deploy` to deploy updates to the system and `org.projectatomic.rpmostree1.finalize-deployment` to reboot the system into the deployed update. Since Zincati v0.0.24, this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the `zincati` system user. In practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload. This primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket. The logic error is fixed in Zincati v0.0.30. A workaround is to manually add a following polkit rule, instructions for which are available in the GitHub Security Advisory."
},
{
"lang": "es",
"value": "Zincati es un agente de actualizaci\u00f3n autom\u00e1tica para hosts Fedora CoreOS. Zincati incluye una regla de polkit que permite al usuario del sistema `zincati` usar las acciones `org.projectatomic.rpmostree1.deploy` para implementar actualizaciones en el sistema y `org.projectatomic.rpmostree1.finalize-deployment` para reiniciar el sistema con la actualizaci\u00f3n implementada. Desde Zincati v0.0.24, esta regla de polkit contiene un error l\u00f3gico que ampl\u00eda el acceso a estas acciones de polkit a cualquier usuario sin privilegios, en lugar de solo al usuario del sistema `zincati`. En la pr\u00e1ctica, esto significa que cualquier usuario sin privilegios con acceso al socket D-Bus del sistema puede implementar versiones anteriores de Fedora CoreOS (que pueden tener otras vulnerabilidades conocidas). Tenga en cuenta que rpm-ostree exige que la versi\u00f3n seleccionada sea de la misma rama en la que se encuentra el sistema, por lo que no se puede usar directamente para implementar un payload de actualizaci\u00f3n controlado por un atacante. Esto afecta principalmente a los usuarios que ejecutan cargas de trabajo no confiables con acceso al socket D-Bus del sistema. Tenga en cuenta que, en general, no se debe otorgar este acceso a las cargas de trabajo no confiables, est\u00e9n o no en contenedores. De forma predeterminada, los contenedores no tienen acceso al socket D-Bus del sistema. El error l\u00f3gico se corrigi\u00f3 en Zincati v0.0.30. Un workaround es agregar manualmente la siguiente regla de polkit, cuyas instrucciones est\u00e1n disponibles en GitHub Security Advisory."
}
],
"id": "CVE-2025-27512",
"lastModified": "2025-03-17T15:15:44.557",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-17T15:15:44.557",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreos/zincati/commit/01d8e89f799e6ba21bdf7dc668abce23bd0d8f78"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreos/zincati/commit/28a43aa2c1edda091ba659677d73c13e6e3ea99d"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreos/zincati/releases/tag/v0.0.24"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreos/zincati/releases/tag/v0.0.30"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreos/zincati/security/advisories/GHSA-w6fv-6gcc-x825"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-783"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…