PT-2020-14761 · Gnome+8 · Gdm3+8

Kevin Backhouse

Published

2020-06-01

Updated

2024-06-15

CVE-2020-16125

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions gdm3 versions before 3.36.2 or 3.38.2

Description The issue allows a local user to potentially create a new privileged account on Ubuntu and its derivatives by exploiting a vulnerability in the GNOME Display Manager (GDM) when it cannot contact the accountservice service via dbus in a timely manner. This can be chained with another issue to achieve privilege escalation. The vulnerability is resolved in GNOME 3.36.2 and 3.38.2.

Recommendations For gdm3 versions before 3.36.2, update to version 3.36.2 or later. For gdm3 versions before 3.38.2, update to version 3.38.2 or later. As a temporary workaround, consider restricting access to the accountservice service via dbus to minimize the risk of exploitation.

Exploit

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754

Related Identifiers

ALSA-2021:1586

ALT-PU-2020-2052

ALT-PU-2020-3200

CESA-2021_1586

CVE-2020-16125

DLA-2434-1

MGASA-2021-0003

OPENSUSE-SU-2020:1961-1

OPENSUSE-SU-2020:2264-1

OPENSUSE-SU-2020_1961-1

OPENSUSE-SU-2020_2264-1

OPENSUSE-SU-2024:11547-1

RHSA-2021:1586

RHSA-2021_1586

RLSA-2021:1586

SUSE-SU-2020:3333-1

SUSE-SU-2020:3614-1

SUSE-SU-2020:3799-1

SUSE-SU-2020_3333-1

SUSE-SU-2020_3614-1

SUSE-SU-2020_3799-1

USN-4614-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

Gdm3

PT-2020-14761 · Gnome+8 · Gdm3+8

CVE-2020-16125

Weakness Enumeration

Related Identifiers

Affected Products

References · 94