Bug 1653861 (CVE-2018-16865)

Summary: CVE-2018-16865 systemd: stack overflow when receiving many journald entries
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, bmcclain, chris.snell, dbaker, dblechte, dchong, dfediuck, dpathak, eedri, fsumsal, hagberg, hannsj_uhl, jokerman, kent, lnykryn, lpoetter, marek.pawlowski, mgoldboi, michal.skrivanek, msekleta, mvanderw, redhat, rik.theys, rschiron, santony, sardella, sbonazzo, security-response-team, sherold, s, sthangav, systemd-maint-list, systemd-maint, trankin, yturgema, zbyszek, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1657792, 1657793, 1659837, 1662790, 1662791, 1664973, 1664977, 1666017, 1666018, 1724851    
Bug Blocks: 1653451    

Description Laura Pardo 2018-11-27 19:00:23 UTC 
A flaw was found in systemd-journald. An uncontrolled alloca() by writing a crafted message to /run/systemd/journal/socket that results in a stack buffer overflow. This can lead to a denial of service attack or arbitrary code execution in some cases.
Comment 1 Doran Moppert 2018-11-28 02:09:01 UTC 
The exploit described by reporter is a stack clash:  since crafted input can cause a maximum alloca() of 4GiB (which may not be entirely written to) it is possible to jump over the guard page if the randomized offset between the stack and the next writeable segment on the heap is smaller than this.

This is claimed to occur approx 1/2048 of the time.  Testing on rhel-7 bears this out approximately.  The rest of the time, this attack will be harmless (and noisy, as journald will log the message).

An attacker is not able to significantly increase their chances even if they were able to force journald to restart repeatedly:  default StartLimit* settings will throttle restarts to 5/sec.
Comment 2 Doran Moppert 2018-11-28 02:30:17 UTC 
This vulnerability was introduced in systemd v38 and became exploitable in systemd v201.
Comment 3 Laura Pardo 2018-11-28 13:21:31 UTC 
Acknowledgments:

Name: Qualys Research Labs
Comment 4 Riccardo Schirone 2018-11-30 16:05:48 UTC 
Function journal_file_append_entry() in journal-file.c allocates an array of EntryItem structures through alloca(), however the number of entries can be controlled by a local attacker. By directly accessing the UNIX domain socket (by default at /run/systemd/journal/socket) a local attacker could send many items to the socket, making the alloca() function allocate the array on top of another memory region, overwriting data that resides there. This may crash systemd-journald or even allow to escalate the privileges of the attacker.
Comment 6 Riccardo Schirone 2018-12-03 12:25:06 UTC 
If systemd is compiled with -fstack-clash-protection flag, like in Fedora 28/29, the flaw is not exploitable because stack clashing is prevented.
Comment 8 Riccardo Schirone 2018-12-03 13:37:55 UTC 
Small fix to comment 0 (stack buffer overflow vs stack overflow)

> A flaw was found in systemd-journald. An uncontrolled alloca() by writing a crafted message to /run/systemd/journal/socket that results in a stack buffer overflow. 

A flaw was found in systemd-journald. An uncontrolled alloca() by writing a crafted message to /run/systemd/journal/socket that results in a stack overflow.
Comment 9 Riccardo Schirone 2018-12-04 10:02:15 UTC 
Changing CVSSv3 to Attack Vector:Network (AV:N) because the attack can be performed through systemd-journal-remote service as well. The service allows to receive journal messages over the network and it can receive messages big enough to receive many items and trigger the flaw in journal_file_append_entry().
Comment 17 Riccardo Schirone 2019-01-07 15:15:12 UTC 
Statement:

This issue affects the versions of systemd as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Important because it allows an attacker to crash systemd-journald or escalate his privileges. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Enterprise Linux 7 ships systemd-journal-remote through the optional systemd-journal-gateway package, which is not installed, nor enabled by default.
Comment 19 Riccardo Schirone 2019-01-10 07:57:26 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1664973]
Comment 20 Riccardo Schirone 2019-01-10 07:59:31 UTC 
External References:

https://www.qualys.com/2019/01/09/system-down/system-down.txt
Comment 22 Riccardo Schirone 2019-01-10 08:17:26 UTC 
Upstream patches:
https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4
https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074
Comment 25 errata-xmlrpc 2019-01-14 12:29:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0049
Comment 29 errata-xmlrpc 2019-01-29 16:07:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:0204 https://access.redhat.com/errata/RHSA-2019:0204
Comment 30 errata-xmlrpc 2019-02-04 22:45:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:0271 https://access.redhat.com/errata/RHSA-2019:0271
Comment 31 errata-xmlrpc 2019-02-13 15:33:53 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0342 https://access.redhat.com/errata/RHSA-2019:0342
Comment 32 errata-xmlrpc 2019-02-18 15:25:00 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0361 https://access.redhat.com/errata/RHSA-2019:0361
Comment 34 errata-xmlrpc 2019-08-07 11:36:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:2402 https://access.redhat.com/errata/RHSA-2019:2402