Roy Marples · Dhcpcd · CVE-2020-15238
Name of the Vulnerable Software and Affected Versions:
Blueman versions prior to 2.1.4
Description:
The issue is related to an argument injection vulnerability in the DhcpClient method of the D-Bus interface to blueman-mechanism. This vulnerability can be exploited depending on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. On systems with ISC DHCP client, attackers can pass arguments to `ip link` with the interface name, potentially bringing down an interface or adding an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name.
Recommendations:
For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue.
As a temporary workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules.