Login Sign Up

CVE-2019-25058

7.8 HIGH

📋 TL;DR

CVE-2019-25058 is a privilege escalation vulnerability in USBGuard versions before 1.1.0 where the usbguard-dbus daemon allows unprivileged users to modify USB device authorization policies. This enables attackers to bypass USB device restrictions and allow all USB devices to connect. Systems running USBGuard with the DBus daemon enabled are affected.

💻 Affected Systems

Products:
  • USBGuard
Versions: All versions before 1.1.0
Operating Systems: Linux distributions with USBGuard package
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when usbguard-dbus daemon is running. Some distributions may not enable it by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Usbguard by Usbguard Project

View all CVEs affecting Usbguard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local user access could disable all USB security controls, allowing malicious USB devices (like rubber duckies or BadUSB) to execute arbitrary code, exfiltrate data, or establish persistence.

🟠

Likely Case

Malicious insider or compromised user account bypasses USB device whitelisting to connect unauthorized storage devices or input devices for data theft or command injection.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to policy modification without immediate device connection if physical USB ports are restricted.

🌐 Internet-Facing: LOW - This requires local system access and cannot be exploited remotely.
🏢 Internal Only: HIGH - Any local user can exploit this to bypass USB security controls, making it dangerous in multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local user access but is simple to execute via DBus calls. Proof of concept exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0 and later

Vendor Advisory: https://github.com/USBGuard/usbguard/releases/tag/v1.1.0

Restart Required: Yes

Instructions:

1. Update USBGuard to version 1.1.0 or later using your distribution's package manager. 2. Restart the usbguard-dbus service. 3. Verify the policy database is intact.

🔧 Temporary Workarounds

Disable usbguard-dbus daemon

linux

Stop and disable the vulnerable DBus service while maintaining USBGuard protection via CLI

sudo systemctl stop usbguard-dbus
sudo systemctl disable usbguard-dbus

Restrict DBus policy access

linux

Modify DBus policy to restrict access to USBGuard interfaces

sudo cp /usr/share/dbus-1/system.d/org.usbguard1.conf /etc/dbus-1/system.d/
Edit /etc/dbus-1/system.d/org.usbguard1.conf to restrict access to root only

🧯 If You Can't Patch

  • Disable usbguard-dbus service immediately and use USBGuard CLI only
  • Implement strict access controls to prevent unauthorized users from accessing systems with USBGuard

🔍 How to Verify

Check if Vulnerable:

Check USBGuard version and if usbguard-dbus is running: usbguard --version && systemctl status usbguard-dbus

Check Version:

usbguard --version

Verify Fix Applied:

Verify version is 1.1.0 or later: usbguard --version | grep -q '1\.1\.' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • DBus policy modification attempts in journalctl
  • USBGuard policy changes from non-root users
  • Unexpected USB device authorization events

Network Indicators:

  • None - local exploitation only

SIEM Query:

process.name="dbus-daemon" AND event.action="method_call" AND dbus.destination="org.usbguard1" AND user.name!="root"

📊 Metadata

CVE ID: CVE-2019-25058
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: February 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25058, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)