Bug 1380286 (CVE-2016-7795)

Summary: CVE-2016-7795 systemd: Assertion failure when PID 1 receives a zero-length message over notify socket
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aglotov, anemec, apmukher, brubisch, charlieb-fedora-bugzilla, cperry, dwood, ilmis, johannbg, jpazdziora, jwright, ldixon, lnykryn, msekleta, muadda, muhammad.zali, pdwyer, pieter.baele, pkenyon, qguo, redhat-bugzilla, rsawhill, sauchter, security-response-team, slawomir, sreber, ssahani, s, syangsao, systemd-maint-list, systemd-maint, ykawada, zbyszek, zpytela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way systemd handled empty notification messages. A local attacker could use this flaw to make systemd freeze its execution, preventing further management of system services, system shutdown, or zombie process collection via systemd.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-09 21:02:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1380175, 1380287, 1381573, 1382284    
Bug Blocks: 1380288    

Description Adam Mariš 2016-09-29 08:22:54 UTC 
It was found that systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over its notification socket. After failing the assertion, PID 1 hangs in the pause system call, making no longer possible to start and stop daemons or cleanly reboot the system. Inetd-style services managed by systemd no longer accept connections.

Since the notification socket, /run/systemd/notify, is world-writable, this allows a local user to perform a denial-of-service attack against systemd.

PoC:

NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

Upstream bug report:

https://github.com/systemd/systemd/issues/4234

CVE request:

http://www.openwall.com/lists/oss-security/2016/09/28/9
Comment 1 Adam Mariš 2016-09-29 08:23:33 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1380287]
Comment 3 Tomas Hoger 2016-09-29 10:55:19 UTC 
This fix was applied upstream:

https://github.com/systemd/systemd/commit/531ac2b2349da02acc9c382849758e07eb92b020

Upstream bug also indicates that the problem was likely introduced via this change, added in v219:

https://github.com/systemd/systemd/commit/d875aa8ce10b458dc218c0d98f4a82c8904d6d03
Comment 7 Tomas Hoger 2016-09-30 13:11:23 UTC 
Additional upstream fixes:

https://github.com/systemd/systemd/commit/9987750e7a4c62e0eb8473603150596ba7c3a015
https://github.com/systemd/systemd/commit/8523bf7dd514a3a2c6114b7b8fb8f308b4f09fc4

The second commit reverts the original fix linked in comment 3.
Comment 9 Andrej Nemec 2016-10-03 07:26:58 UTC 
References:

https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet
Comment 12 Tomas Hoger 2016-10-05 11:49:12 UTC 
CVE-2016-7796 was moved to a separate bug 1381911, as those CVEs affect different systemd versions.  Only the fix for CVE-2016-7796 make the assert causing CVE-2016-7795 reachable.
Comment 14 errata-xmlrpc 2016-11-04 08:55:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2610 https://rhn.redhat.com/errata/RHSA-2016-2610.html
Comment 15 errata-xmlrpc 2016-11-09 16:49:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2016:2694 https://rhn.redhat.com/errata/RHSA-2016-2694.html