The Ubuntu desktop developers have released updates with a new package gdm3, which fixes a dangerous vulnerability in the GNOME window manager. In conjunction with one of two bugs of the AccountsService, also patched, it allows you to execute any code on the system as root. The exploitation of new vulnerabilities is only possible with physical access to the device and a valid account.
The GNOME software implements windowing functions on the computer screen and, among other things, is responsible for displaying the login screen. According to the bulletin , the CVE-2020-16125 vulnerability in GDM is caused by incorrect launching of the initial configuration program (gnome-initial-setup) when the AccountsService daemon is not available through DBus.
The window manager can initiate the start of the initial configuration if it does not find any accounts in the system. He asks for data on the presence of such, referring to accounts-daemon. If this process does not respond, GDM will assume that the accounts are missing and will run the gnome-initial-setup utility, through which a new account can be registered with superuser privileges.
The vulnerability is fixed in GNOME 3.28.3, 3.36.2, and 3.38.2. Corresponding updates are already available for Ubuntu versions 20.10, 20.04 and 18.04.
As it turns out, the CVE-2020-16125 issue can be exploited by forcibly terminating the accounts-daemon process. This daemon, running as root, has two bugs that make it easy to do this.
Vulnerability CVE-2020-16126 occurred due to incorrect privilege reset (ruid attribute) while processing some DBus calls; error CVE-2020-16127 occurs when processing custom .pam_environment files. Operation in both cases can cause accounts-daemon to crash or hang, leading to denial of service (DoS).
These issues affect Ubuntu 20.10, 20.04, 18.04, 16.04 and 14.04 (CVE-2020-16127 confirmed only in Ubuntu 20.04 LTS and Ubuntu 20.10) and have already been fixed.