CVE-2026-4948: firewalld Auth Bypass Vulnerability

CVE-2026-4948 Overview

A flaw was found in firewalld that allows local unprivileged users to bypass D-Bus authorization checks. The vulnerability exists in two runtime D-Bus setters, setZoneSettings2 and setPolicySettings, which fail to properly authenticate requests. This mis-authorization allows attackers with local access to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

Critical Impact

Local unprivileged users can modify firewall configurations without authentication, potentially exposing systems to network-based attacks or allowing unauthorized network access.

Affected Products

• firewalld (affected versions not specified)
• Linux distributions using firewalld for firewall management
• Systems with D-Bus enabled and firewalld installed

Discovery Timeline

• 2026-03-27 - CVE CVE-2026-4948 published to NVD
• 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-4948

Vulnerability Analysis

This vulnerability stems from improper access control (CWE-279: Incorrect Execution-Assigned Permissions) within firewalld's D-Bus interface. The affected D-Bus methods setZoneSettings2 and setPolicySettings fail to verify that the calling process has the necessary privileges before allowing modifications to the firewall runtime state.

When a local user invokes these D-Bus methods, firewalld should validate that the user has administrative privileges through PolicyKit or similar authentication mechanisms. However, the vulnerability allows these authorization checks to be bypassed, enabling any local user to manipulate firewall zones and policies.

The impact is limited to the runtime configuration, meaning changes are not persistent across firewalld restarts. However, this still presents a significant security risk as attackers can open ports, modify zone assignments, or alter policies to facilitate lateral movement or data exfiltration while the system remains running.

Root Cause

The root cause is improper authorization checking in the D-Bus method handlers for setZoneSettings2 and setPolicySettings. The firewalld daemon fails to properly enforce PolicyKit authorization for these specific methods, allowing unprivileged users to invoke them without authentication challenges.

Attack Vector

The attack requires local access to the target system. An attacker with a low-privileged local account can exploit this vulnerability by sending crafted D-Bus messages to the firewalld service. The attacker would use standard D-Bus tools like dbus-send or the firewall-cmd utility to invoke the vulnerable methods.

A successful attack could allow the attacker to:

• Open firewall ports to expose internal services
• Modify zone assignments to reduce security restrictions
• Alter firewall policies to permit malicious traffic
• Disable firewall rules protecting sensitive network segments

The vulnerability requires local access (AV:L), has low attack complexity (AC:L), requires low privileges (PR:L), and no user interaction (UI:N). While confidentiality is not directly impacted, the integrity impact is high as unauthorized firewall changes can be made.

Detection Methods for CVE-2026-4948

Indicators of Compromise

• Unexpected changes to firewalld zone configurations visible in firewall-cmd --list-all-zones
• D-Bus method calls to setZoneSettings2 or setPolicySettings from non-root users in system logs
• Newly opened ports or services not authorized by administrators
• Audit logs showing firewall modifications by unprivileged accounts

Detection Strategies

• Monitor D-Bus system bus for method calls to firewalld's setZoneSettings2 and setPolicySettings methods from non-administrative users
• Enable and review auditd rules for firewalld configuration changes using auditctl -w /etc/firewalld/ -p wa
• Deploy SentinelOne agents to detect unauthorized system configuration modifications and privilege escalation attempts
• Configure systemd journal monitoring for firewalld service events and unexpected state changes

Monitoring Recommendations

• Implement centralized logging for all firewalld configuration changes across the environment
• Create alerts for D-Bus method invocations to firewalld from unexpected user contexts
• Regularly audit firewall states against baseline configurations to detect drift
• Use SentinelOne's behavioral analysis to identify patterns of local privilege abuse targeting system services

How to Mitigate CVE-2026-4948

Immediate Actions Required

• Review current firewalld configurations to ensure no unauthorized changes have been made
• Restrict local user access to systems running firewalld where possible
• Monitor for patches from your Linux distribution vendor and apply them promptly
• Consider implementing additional D-Bus access controls using dbus-daemon configuration

Patch Information

Patches are expected to be available from Linux distribution vendors. Refer to the Red Hat CVE-2026-4948 Advisory and Red Hat Bug Report #2452086 for the latest patch information and affected package versions.

Workarounds

• Restrict D-Bus access to firewalld by modifying the /etc/dbus-1/system.d/FirewallD.conf policy file to limit which users can invoke methods
• Use SELinux or AppArmor policies to further restrict access to firewalld D-Bus interfaces
• Disable firewalld and use iptables/nftables directly with manual configuration if the system does not require dynamic firewall management
• Implement network-level firewall controls at the perimeter to reduce dependency on host-based firewalls

# Configuration example: Restrict D-Bus access to firewalld
# Edit /etc/dbus-1/system.d/FirewallD.conf and ensure only root/wheel group can access
# Add the following policy inside the <busconfig> element:
# <policy user="root">
#   <allow send_destination="org.fedoraproject.FirewallD1"/>
# </policy>
# <policy group="wheel">
#   <allow send_destination="org.fedoraproject.FirewallD1"/>
# </policy>
# Then restart D-Bus: systemctl restart dbus