Bug 1653867 (CVE-2018-16866) - CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message
Summary: CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1657794 1664975 1664978 1756868 1756869 1756870 1786122 1786123
Blocks: 1653451
TreeView+ depends on / blocked
 
Reported: 2018-11-27 19:14 UTC by Laura Pardo
Modified: 2023-09-07 19:32 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data.
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2091 0 None None None 2019-08-06 12:13:43 UTC
Red Hat Product Errata RHSA-2019:3222 0 None None None 2019-10-29 14:02:23 UTC
Red Hat Product Errata RHSA-2020:0593 0 None None None 2020-02-25 12:11:17 UTC
Red Hat Product Errata RHSA-2020:1264 0 None None None 2020-04-01 08:32:57 UTC

Description Laura Pardo 2018-11-27 19:14:56 UTC 
A flaw was found in systemd-journald. An out-of-bounds read when parsing a crafted syslog message that could lead to information disclosure.
Comment 1 Doran Moppert 2018-11-28 02:29:27 UTC 
This vulnerability was introduced in systemd v221.
Comment 2 Laura Pardo 2018-11-28 13:21:46 UTC 
Acknowledgments:

Name: Qualys Research Labs
Comment 3 Riccardo Schirone 2018-12-05 09:05:42 UTC 
Function syslog_parse_identifier() in journald-syslog.c file does not properly parse the log string in case it ends with a ":", returning a pointer beyond the original string's limits. A local attacker may use this flaw to get disclose systemd-journal process memory and get an information leak.
Comment 4 Riccardo Schirone 2018-12-05 09:12:57 UTC 
The flaw was introduced in:
https://github.com/systemd/systemd/commit/ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8

It was fixed with:
https://github.com/systemd/systemd/commit/a6aadf4ae0bae185dc4c414d492a4a781c80ffe5
https://github.com/systemd/systemd/commit/8595102d3ddde6d25c282f965573a6de34ab4421
Comment 5 Riccardo Schirone 2018-12-05 09:16:39 UTC 
RHEL 7.6 ships systemd v219, but commit ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8 was backported, thus making it vulnerable to this flaw as well.
Comment 10 Zbigniew Jędrzejewski-Szmek 2018-12-10 13:48:56 UTC 
This seems to be the same as https://github.com/systemd/systemd/issues/9829, fixed by https://github.com/systemd/systemd/commit/a6aadf4ae0. The provided reproducer does not work with git master.
Comment 13 Doran Moppert 2019-01-02 02:45:00 UTC 
Statement:

This issue affects the versions of systemd as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Virtualization Hypervisor and Management Appliance include vulnerable versions of systemd. However, since exploitation requires local access and impact is restricted to information disclosure, this flaw is rated as having a security issue of Low. Future updates may address this issue.
Comment 14 Riccardo Schirone 2019-01-10 07:58:57 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1664975]
Comment 15 Riccardo Schirone 2019-01-10 07:59:31 UTC 
External References:

https://www.qualys.com/2019/01/09/system-down/system-down.txt
Comment 19 sabyrzhan 2019-03-05 18:14:10 UTC 
Please update the ETA of RHEL7 systemd errata for this CVE.
Comment 20 sabyrzhan 2019-03-11 16:29:57 UTC 
Please update the ETA for RHEL7 systemd errata release.
Comment 21 Laura Pardo 2019-03-11 19:38:02 UTC 
In reply to comment #20:
> Please update the ETA for RHEL7 systemd errata release.

I'm transferring this needinfo to the analyst in charge of this.
Comment 22 Riccardo Schirone 2019-03-14 09:08:59 UTC 
We do not release updates on ETA for errata.
Comment 23 errata-xmlrpc 2019-08-06 12:13:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2091 https://access.redhat.com/errata/RHSA-2019:2091
Comment 24 Product Security DevOps Team 2019-08-06 19:20:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16866
Comment 27 errata-xmlrpc 2019-10-29 14:02:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3222 https://access.redhat.com/errata/RHSA-2019:3222
Comment 29 errata-xmlrpc 2020-02-25 12:11:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0593 https://access.redhat.com/errata/RHSA-2020:0593
Comment 30 errata-xmlrpc 2020-04-01 08:32:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1264 https://access.redhat.com/errata/RHSA-2020:1264
Note You need to log in before you can comment on or make changes to this bug.