Firewalld D-Bus Mis-Authorization Vulnerability Allowing Unauthorized Firewall State Modifications

A vulnerability exists in firewalld versions through 2.4.0, where local unprivileged users can exploit mis-authorized D-Bus setters, setZoneSettings2 and setPolicySettings. This flaw allows users to alter the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations. The issue arises when the firewalld desktop policy is active, enabling local users to modify firewall settings via the mis-authorized D-Bus interfaces.

Impact

Exploitation of this vulnerability allows for unauthorized modifications to the runtime firewall state, potentially leading to incorrect network security configurations.

Reproduction

To reproduce this vulnerability, a local unprivileged user must have access to a system running firewalld with the desktop policy active. The user can then invoke the mis-authorized D-Bus setters, setZoneSettings2 and setPolicySettings, to change the firewall settings without authentication.

Remediation

To address this vulnerability, deactivate the firewalld desktop policy on systems where local unprivileged user access poses a risk. If firewalld is not needed, it can be disabled, though this may affect network services that rely on it. To disable firewalld, use the commands 'sudo systemctl stop firewalld' followed by 'sudo systemctl disable firewalld'. A system restart or service reload may be necessary for the changes to take effect.