Opened 3 years ago

Closed 3 years ago

#4377 closed task (fixed)

Generate systemd-239 Backported Stable Snapshot

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 8.4
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

DJ and I have discussed creating a systemd-snapshot containing backported fixes for security vulnerabilities. This would replace the patch that DJ crafted, and would save a lot of headache when upgrading to 240 when it comes out.

One of these vulnerabilities has to do with a RCE and PrivEsc over DHCPv6, and this MAY affect other DHCP clients as well (I do have a PoC, but haven't tried it against anything as I've been too busy trying to get updates completed to commit).

Change History (5)

comment:1 by Douglas R. Reno, 3 years ago

Priority: normalhigh

DJ crafted a tarball and placed it on Anduin. I'm going to proceed with this and other package updates.

comment:2 by Douglas R. Reno, 3 years ago

Owner: changed from lfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 3 years ago

http://anduin.linuxfromscratch.org/LFS/systemd-239-25d1ba1.tar.xz http://anduin.linuxfromscratch.org/LFS/systemd-man-pages-239-25d1ba1.tar.xz

New version will be 239-25d1ba1

Current plan is to commit this to LFS and BLFS simultaneously. This also counts for TCL and OpenSSL. I'd like to avoid version inconsistencies right now if I can.

comment:4 by Douglas R. Reno, 3 years ago

Workaround
==========

- CVE-2018-15688

Disable IPv6 by setting either LinkLocalAddressing=ipv4 or
LinkLocalAddressing=no in the corresponding network configuration file.

Description
===========

- CVE-2018-15686 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where the use of fgets() allows an attacker to escalate privilege via a
crafted service with NotifyAccess.

- CVE-2018-15687 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where a race condition in the chown_one() function can be used to
escalate privileges via a crafted symlink.

- CVE-2018-15688 (arbitrary code execution)

An out-of-bounds write has been found in the dhcpv6 option handing code
of systemd-networkd up to and including v239.

It was discovered that systemd-network does not correctly keep track of
a buffer size  in the dhcp6_option_append_ia() function, when
constructing DHCPv6 packets. This flaw may lead to an integer underflow
that can be used to produce an heap-based buffer overflow. A malicious
host on the same network segment as the victim's one may advertise
itself as a DHCPv6 server and exploit this flaw to cause a Denial of
Service or potentially gain code execution on the victim's machine. The
overflow can be triggered relatively easy by advertising a DHCPv6
server with a server-id >= 493 characters long.

Impact
======

A remote attacker is able to cause arbitrary code execution by
advertising itself as a DHCPv6 server with a specially crafted server-
id. A local attacker can escalate privileges with a specially crafted
service or a crafted symlink.

comment:5 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r11487

Note: See TracTickets for help on using tickets.