GHSA-XRW6-GWF8-VVR9: Signal Spoofing and Resource Exhaustion in Tmds.DBus

The GHSA-XRW6-GWF8-VVR9 vulnerability affects the Tmds.DBus and Tmds.DBus.Protocol .NET libraries. These components implement D-Bus client and server protocols for Inter-Process Communication (IPC) on Linux systems. The vulnerability encompasses three distinct attack vectors: signal spoofing, file descriptor exhaustion, and denial of service via malformed message structures.

Applications utilizing vulnerable versions of these libraries lack sufficient validation for incoming D-Bus messages. A local attacker connected to the same D-Bus message bus can exploit these deficiencies to forge signals, consume process resources, or crash the target application. This represents a significant risk for system disruption or application manipulation depending on the affected service's role.

The CVSS base score of 7.1 reflects the high availability and integrity impacts. An attacker requires prior access to the D-Bus system or session bus, placing the attack vector strictly in the local or adjacent network domains. Remediation requires patching the affected libraries to the latest stable releases.

The root cause spans multiple improper handling mechanisms within the D-Bus message parsing and routing lifecycle. The first weakness, signal spoofing (CWE-345), occurs because the library does not verify the sender's unique D-Bus name against the claimed well-known name. A malicious peer can emit a signal claiming to originate from a privileged service without the library validating the assertion via the bus's name owner database.

The second weakness involves file descriptor exhaustion (CWE-400). The D-Bus protocol supports passing file descriptors between processes using SCM_RIGHTS ancillary data over Unix domain sockets. The Tmds.DBus implementation failed to guarantee the closure of these file descriptors when message deserialization failed or when malicious messages were intentionally discarded.

The final weakness relates to improper input validation (CWE-20) during message parsing. The library lacked strict upper bounds on message sizes, header lengths, and the maximum depth of nested variants. An attacker can craft deeply nested or excessively large D-Bus messages that consume extensive CPU and memory resources during deserialization, resulting in application crashes.

The mitigation strategy implemented by the maintainers spans several commits addressing the distinct vulnerability classes. To resolve the signal spoofing issue (commits fb41b95 and b429873), the library now integrates explicit checks against the name owner database. The incoming signal's sender is actively verified to ensure the unique name matches the registered owner of the well-known name.

File descriptor leaks were addressed in commit 49504a3 by enforcing strict lifecycle management. The patch introduces try-finally blocks during message ingestion. If a message is malformed or explicitly rejected, any attached file descriptors are immediately closed via robust cleanup routines, preventing the gradual exhaustion of the process limit.

// Conceptual representation of the file descriptor cleanup implementation
public void ProcessIncomingMessage(Message msg) 
{
    try 
    {
        // Attempt to parse and route the message
        ParseAndRoute(msg);
    }
    finally 
    {
        // Ensure all attached file descriptors are closed if routing fails
        // or if the message is deemed malicious/unauthorized
        if (msg.HasFileDescriptors && !msg.IsFullyProcessed) 
        {
            msg.CloseAttachedFileDescriptors();
        }
    }
}

Denial of service via malformed inputs was mitigated through multiple commits (0c84f88, 381c817, d408e01, ed3e9a7). These changes introduce hard constraints on parsing operations. The library now limits maximum message sizes, restricts header lengths, and caps the recursion depth for nested D-Bus variants, effectively nullifying resource consumption attacks.

Exploitation of these vulnerabilities requires the attacker to possess an active connection to the same D-Bus instance as the target application. This typically dictates local execution access on the host system. No public proof-of-concept exploits exist, classifying the exploit maturity as none.

To exploit the signal spoofing vulnerability, an attacker constructs a D-Bus signal specifying a well-known name belonging to a different service. The attacker transmits this signal over the bus. The vulnerable application receives the signal, trusts the unverified well-known name, and executes its associated callback logic based on the forged data.

To exploit the file descriptor exhaustion vulnerability, the attacker repeatedly sends malformed D-Bus messages containing attached file descriptors via SCM_RIGHTS. The vulnerable application rejects the messages due to parsing errors but fails to close the descriptors. The kernel eventually enforces the RLIMIT_NOFILE limit, preventing the application from opening new files or network connections and resulting in a denial of service.

The successful exploitation of these vulnerabilities yields dual impacts: loss of availability and loss of integrity. The denial of service vectors directly compromise availability. Application crashes and resource exhaustion prevent the target service from fulfilling its intended function, which is critical for daemons managing system state or hardware components.

The signal spoofing vector facilitates logic manipulation and integrity compromise. By forging signals, an attacker can coerce the target application into performing unauthorized actions, updating internal state based on false premises, or bypassing intended access controls. This can result in broader system compromise depending on the privileges and responsibilities of the vulnerable service.

The cumulative effect is a CVSS v3.1 base score of 7.1. While the attack complexity is relatively low, the prerequisite of local D-Bus access restricts the overall severity. The vulnerabilities pose the highest risk in multi-tenant environments or systems where untrusted processes share access to a central system bus.

The definitive remediation for these vulnerabilities is upgrading the affected libraries. Developers must update Tmds.DBus to version 0.21.3 or higher. Projects utilizing Tmds.DBus.Protocol must be updated to version 0.92.0 or higher.

In environments where immediate patching is unfeasible, administrators should monitor system logs for indicators of resource exhaustion. File descriptor exhaustion typically manifests as "Too many open files" or EMFILE errors within application or system logs. Auditing D-Bus traffic for anomalous signal broadcasts can also aid in detecting active spoofing attempts.

Developers utilizing D-Bus libraries should adopt defensive programming practices. Applications should explicitly filter incoming signals by sender identity using the Sender field provided by the D-Bus daemon. Relying solely on interface or member names for authentication remains an unsafe pattern, even when underlying library vulnerabilities are patched.