Bug 1667032 (CVE-2019-6454)
Summary: | CVE-2019-6454 systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abhgupta, bmcclain, cperry, dbaker, dblechte, dfediuck, eedri, ego.cordatus, jokerman, kent, lnykryn, lpoetter, mgoldboi, michal.skrivanek, msekleta, rschiron, sbonazzo, security-response-team, sherold, s, sthangav, systemd-maint-list, systemd-maint, trankin, yturgema, zbyszek, zjedrzej |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was discovered that systemd allocates a buffer large enough to store the path field of a dbus message without performing enough checks. A local attacker may trigger this flaw by sending a dbus message to systemd with a large path making systemd crash or possibly elevating his privileges.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:45:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1667870, 1667871, 1678394, 1678641, 1679414, 1679415, 1693971, 1710103, 1710104, 1713317, 1713318, 1724848 | ||
Bug Blocks: | 1667033 |
Description
Andrej Nemec
2019-01-17 09:53:09 UTC
systemd tries to setup a signal handler to intercept segmentation faults and spawn a shell in case of crashes, however due to the nature of the flaw, the kernel is not able to call the handler and it just makes PID 1 crash with a subsequent kernel panic. Acknowledgments: Name: Chris Coulson (Ubuntu Security) Given enough preconditions, we do not exclude an attacker may be able to use this flaw to execute code and escalate his privileges, as done in other stack clashing attacks. However this would require a precise attack as once systemd crashes, the entire system needs to be restarted. We do not have proofs of such attacks. Fedora 28/29 binaries are compiled with -fstack-clash-protection gcc option, thus making the Impact on those systems slightly lower. An attacker can only make systemd crash, with consequent system freeze, but he cannot use it to skip the stack guard page and make the stack clash with any other memory region. Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1678394] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0368 https://access.redhat.com/errata/RHSA-2019:0368 Upstream patch: https://github.com/systemd/systemd/commit/798ebaf9aea9b8ae3b8a0cc2702bc8de71acb3c6 https://github.com/systemd/systemd/commit/6d586a13717ae057aa1b4127400c3de61cd5b9e7 Statement: This vulnerability is present in Red Hat Virtualization Hypervisor and Management Appliance, however it can only be exploited locally. Since these systems do not typically have local user accounts, this issue has been rated Moderate severity for Red Hat Virtualization 4. This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:0457 https://access.redhat.com/errata/RHSA-2019:0457 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:0461 https://access.redhat.com/errata/RHSA-2019:0461 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0990 https://access.redhat.com/errata/RHSA-2019:0990 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1322 https://access.redhat.com/errata/RHSA-2019:1322 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1502 https://access.redhat.com/errata/RHSA-2019:1502 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Telco Extended Update Support Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Via RHSA-2019:2805 https://access.redhat.com/errata/RHSA-2019:2805 |