CVE-2021-3939
📋 TL;DR
This CVE describes a double-free memory corruption vulnerability in Ubuntu's accountsservice. Attackers can exploit this via the SetLanguage D-Bus function to potentially execute arbitrary code or crash the service. Only Ubuntu systems with specific versions of accountsservice are affected.
💻 Affected Systems
- accountsservice
📦 What is this software?
Accountsservice by Canonical
Accountsservice by Canonical
Accountsservice by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise.
Likely Case
Service crash causing denial of service and potential privilege escalation.
If Mitigated
Limited to denial of service if exploit fails or system has additional protections.
🎯 Exploit Status
Exploit requires D-Bus access. Public exploit code exists in Packet Storm references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, or 0.6.55-0ubuntu14.1
Vendor Advisory: https://ubuntu.com/security/notices/USN-5149-1
Restart Required: Yes
Instructions:
1. Update package: sudo apt update && sudo apt install accountsservice
2. Restart affected services: sudo systemctl restart accounts-daemon
3. Verify version with: dpkg -l accountsservice
🔧 Temporary Workarounds
Restrict D-Bus Access
linuxLimit D-Bus access to accountsservice to prevent exploitation
sudo systemctl edit accounts-daemon
Add: [Service]
RestrictRealtime=yes
NoNewPrivileges=yes
Disable SetLanguage Function
linuxBlock the vulnerable D-Bus method via policy
Create /etc/dbus-1/system.d/accountsservice-block.conf with:
<policy context="default">
<deny send_destination="org.freedesktop.Accounts"
send_interface="org.freedesktop.Accounts.User"
send_member="SetLanguage"/>
</policy>
sudo systemctl reload dbus
🧯 If You Can't Patch
- Implement strict network segmentation to limit D-Bus access
- Monitor for exploitation attempts via D-Bus logs and system crashes
🔍 How to Verify
Check if Vulnerable:
Check accountsservice version: dpkg -l | grep accountsserviceCheck Version:
dpkg -l accountsservice | grep ^ii | awk '{print $3}'Verify Fix Applied:
Verify version is 0.6.55-0ubuntu12~20.04.5 or higher for Ubuntu 20.04, 0.6.55-0ubuntu13.3 or higher for Ubuntu 21.10, or 0.6.55-0ubuntu14.1 or higher for Ubuntu 22.04📡 Detection & Monitoring
Log Indicators:
- Multiple free() calls in accountsservice logs
- D-Bus SetLanguage method calls from unusual sources
- accountsservice crashes or segmentation faults
Network Indicators:
- Unusual D-Bus traffic to accounts-daemon
- Multiple SetLanguage method calls
SIEM Query:
process.name="accounts-daemon" AND (event.action="segmentation fault" OR log.message="*free*" OR log.message="*corruption*")🔗 References
- http://packetstormsecurity.com/files/172848/Ubuntu-accountsservice-Double-Free-Memory-Corruption.html
- https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1950149
- https://ubuntu.com/security/notices/USN-5149-1
- http://packetstormsecurity.com/files/172848/Ubuntu-accountsservice-Double-Free-Memory-Corruption.html
- https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1950149
- https://ubuntu.com/security/notices/USN-5149-1
