Zincati Unprivileged D-Bus Access Vulnerability Allowing Unauthorized System Updates

A vulnerability in Zincati, an auto-update agent for Fedora CoreOS, allows any unprivileged user with access to the system D-Bus socket to deploy updates and finalize deployments, which includes rebooting into the deployed update. This issue arises from a logic error in the polkit rule that governs access to these actions, broadening it to all unprivileged users instead of restricting it to the 'zincati' system user. The vulnerability affects Zincati versions prior to 0.0.30 and primarily impacts users running untrusted workloads with access to the system D-Bus socket.

Impact

Exploitation of this vulnerability allows unauthorized users to deploy and manage system updates, potentially leading to the introduction of known vulnerabilities from previously released Fedora CoreOS versions.

Reproduction

The vulnerability can be reproduced by any unprivileged user with access to the system D-Bus socket. Once this access is established, the user can invoke the 'org.projectatomic.rpmostree1.deploy' action to deploy an update and the 'org.projectatomic.rpmostree1.finalize-deployment' action to reboot into the deployed update.

Remediation

Users can upgrade to Zincati version 0.0.30 or later, where this vulnerability is fixed. Instructions for adding a custom polkit rule to mitigate the issue are also available in the GitHub Security Advisory.