Bug 1639067 (CVE-2018-15688)
| Summary: | CVE-2018-15688 systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abhgupta, atragler, bgalvani, bmcclain, dbaker, dblechte, dcbw, dfediuck, eedri, fgiudici, john.j5live, jokerman, lkundrak, lnykryn, lpoetter, lrintel, mclasen, mgoldboi, michal.skrivanek, msekleta, panyongzhi, redhat-bugzilla, rhughes, rkhan, rschiron, rstrode, sandmann, sbonazzo, security-response-team, sherold, s, sthangav, sukulkar, systemd-maint-list, systemd-maint, thaller, trankin, yturgema, zbyszek, zjedrzej |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-12 13:06:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1641580, 1641581, 1643362, 1643363, 1643984, 1643985, 1643986, 1643987 | ||
| Bug Blocks: | 1639068 | ||
|
Description
Sam Fowler
2018-10-15 01:41:36 UTC
The DHCPv6 client implemented in systemd-networkd does not correctly handle the size of the temporary buffer used to construct the packet that needs to be sent to the DHCPv6 server. In particular dhcp6-option.c:dhcp6_option_append_ia() causes an integer overflow that can be used to write beyond the limits of the temporary buffer. RHEL 7 does not ship systemd-networkd by default but it is available in the @rhel-7-server-optional-rpms repository. Moreover, for the flaw to be exploitable, DHCPv6 should be explicitly enabled on the interface. Router Advertisement packets will not automatically start the DHCPv6 client. Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1643362] Acknowledgments: Name: Ubuntu Security Team Upstream: Felix Wilhelm (Google) Created NetworkManager tracking bugs for this issue: Affects: fedora-all [bug 1643987] NetworkManager upstream patch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=01ca2053bbea09f35b958c8cc7631e15469acb79 NetworkManager includes some parts of the systemd-networkd code in its codebase. That can be found at src/systemd/src/libsystemd-networkd. The DHCP implementation provided by systemd-networkd is used when NetworkManager is configured to use the internal implementation, however the default is to use dhclient. When NetworkManager is configured to use the internal dhcp and an interface is setup with ipv6.method=auto (which is the default value) or ipv6.method=dhcp, this flaw can be exploited. When using ipv6.method=auto, the DHCPv6 client can be automatically started with a Router Advertisement packet. Hmmm, I think the statement misses one case. IIUC, the code in question can be triggered automatically upon reception of a Router Advertisement message, see the discussion under https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921/comments/11. In case of the RHEL 7 systemd-networkd package the Router Advertisement packet does not automatically enable the DHCPv6 client, because it does not include commit https://github.com/systemd/systemd/commit/f5a8c43f39937d97c9ed75e3fe8621945b42b0db . This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3665 https://access.redhat.com/errata/RHSA-2018:3665 Statement: This issue affects the versions of systemd-networkd as shipped with Red Hat Enterprise Linux 7, however the package is available only through the unsupported Optional repository and it cannot be exploited unless the interface is explicitly configured to use DHCP. This issue affects the versions of NetworkManager as shipped with Red Hat Enterprise Linux 7 because the package includes some parts of the systemd-networkd code, which present the same vulnerability. NetworkManager is vulnerable to this flaw only when configured to use the internal DHCP, which is not the default. However, when it is, the flaw may be triggered by a connection where either ipv6.method is set to dhcp or it is set to auto, which is the default value. Filed case #02290895 for systemd-networkd at the Red Hat customer portal. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0049 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-15688 |