CVE-2024-34397 Overview
CVE-2024-34397 is a D-Bus signal spoofing vulnerability in GNOME GLib that allows local users on shared computers to send spoofed D-Bus signals to GDBus-based client applications. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager, other users on the same computer can inject malicious signals that the client will incorrectly interpret as originating from the trusted service. This authentication bypass vulnerability could lead to application-dependent impacts ranging from incorrect behavior to potential security policy violations.
Critical Impact
Local attackers on shared systems can spoof trusted D-Bus signals, potentially manipulating applications that rely on system services like NetworkManager for security-critical decisions.
Affected Products
- GNOME GLib versions before 2.78.5
- GNOME GLib versions 2.79.x and 2.80.x before 2.80.1
- Debian Linux 10.0
- Fedora 39 and 40
- NetApp ONTAP Tools 10 for VMware vSphere
Discovery Timeline
- 2024-05-07 - CVE-2024-34397 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-34397
Vulnerability Analysis
This vulnerability exists in GNOME GLib's GDBus implementation, which provides a high-level API for D-Bus communication on Linux systems. The core issue stems from inadequate sender validation when GDBus-based clients subscribe to signals from system services. D-Bus is a message bus system that allows applications to communicate with each other and with system services. When an application subscribes to signals from a trusted service like NetworkManager, it expects those signals to originate exclusively from that service.
However, the vulnerable GLib versions fail to properly verify the sender of incoming D-Bus signals. On multi-user systems, any local user can craft and send D-Bus messages that appear to originate from trusted system services. The GDBus client will accept these spoofed signals and process them as if they came from the legitimate service, potentially triggering security-sensitive actions or altering application state.
The impact is application-dependent—applications that make security decisions based on D-Bus signals (such as network state changes, authentication events, or policy updates) are particularly at risk. An attacker could potentially manipulate an application into performing unauthorized actions or bypassing security checks.
Root Cause
The root cause is classified as CWE-290 (Authentication Bypass by Spoofing). The GDBus signal subscription mechanism does not adequately validate that incoming signals actually originate from the expected sender. While D-Bus has mechanisms to identify message senders, the GLib implementation did not enforce proper sender verification for signal subscriptions, allowing any local user to forge signals that appear to come from trusted services.
Attack Vector
The attack requires physical or local access to a shared computer system. An attacker with a local user account on a multi-user Linux system can exploit this vulnerability by:
- Identifying applications that use GDBus to subscribe to signals from trusted system services
- Crafting D-Bus messages that mimic legitimate signals from those services
- Sending the spoofed signals over the session or system bus
- The vulnerable GDBus client processes the spoofed signals as legitimate, potentially causing unintended behavior
The attack is particularly relevant in environments like shared workstations, terminal servers, or systems with multiple untrusted local users. The vulnerability mechanism involves the D-Bus signal subscription and sender validation code paths in GLib's gdbus implementation. For detailed technical analysis, see the GNOME Issue #3268.
Detection Methods for CVE-2024-34397
Indicators of Compromise
- Unusual D-Bus message patterns from non-system processes attempting to mimic system services
- Unexpected application behavior changes correlating with D-Bus activity from unprivileged users
- Audit logs showing D-Bus method calls or signals from user sessions targeting applications expecting system service communication
Detection Strategies
- Monitor D-Bus traffic using tools like dbus-monitor or busctl monitor for signals originating from unexpected senders
- Implement auditing on multi-user systems to track D-Bus activity per user session
- Use SentinelOne's behavioral analysis to detect anomalous inter-process communication patterns
- Review application logs for unexpected state changes that could indicate signal spoofing
Monitoring Recommendations
- Enable D-Bus verbose logging on systems with sensitive GDBus-based applications
- Deploy endpoint detection solutions capable of monitoring IPC mechanisms
- Audit installed GLib versions across all Linux endpoints using package management queries
- Implement network segmentation and user isolation on shared systems to limit attack surface
How to Mitigate CVE-2024-34397
Immediate Actions Required
- Update GNOME GLib to version 2.78.5 or later for the 2.78.x branch
- Update to GLib version 2.80.1 or later for the 2.80.x branch
- Restrict local user access on shared systems where GDBus-based applications handle sensitive operations
- Review applications running on affected systems that rely on D-Bus signals for security decisions
Patch Information
GNOME has released patched versions that address this signal spoofing vulnerability. The fix implements proper sender validation for D-Bus signal subscriptions, ensuring that GDBus clients verify signals actually originate from the expected trusted services. Security updates are available through the following channels:
- GNOME GLib Issue #3268 - Official vendor issue tracker with patch details
- Debian LTS Announcement - Debian security update
- Fedora Package Announcements - Fedora security updates
- NetApp Security Advisory NTAP-20240531-0008 - NetApp advisory for ONTAP Tools
Workarounds
- Limit local user accounts on systems running sensitive GDBus-based applications until patching is complete
- Implement D-Bus security policies to restrict which users can send signals on the system bus
- Consider application-level mitigations by adding additional sender validation in critical applications
- Use containerization or virtualization to isolate applications from untrusted local users
# Check installed GLib version
pkg-config --modversion glib-2.0
# For Debian/Ubuntu systems, update GLib
sudo apt update && sudo apt upgrade libglib2.0-0
# For Fedora systems, update GLib
sudo dnf update glib2
# Verify the updated version
pkg-config --modversion glib-2.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
