Bug 1684607 (CVE-2019-3843)

Summary: CVE-2019-3843 systemd: services with DynamicUser can create SUID/SGID binaries
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, dbaker, jokerman, lnykryn, lpoetter, msekleta, security-response-team, s, sthangav, systemd-maint-list, systemd-maint, trankin, zbyszek, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd 242 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the UID/GID will be recycled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:32:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1687512, 1703356    
Bug Blocks: 1672544    

Description Riccardo Schirone 2019-03-01 16:04:35 UTC 
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.
Comment 3 Riccardo Schirone 2019-03-05 12:46:49 UTC 
A compromised or malicious service that uses DynamicUser property could leave on the filesystem a SUID/SGID binary that would allow other users to execute programs with the privileges of the transient user/group created by systemd. If the same UID/GID is reused by another service in the future, the SUID/SGID binary can be used to access the new service's resources.
Comment 5 Riccardo Schirone 2019-03-05 13:30:03 UTC 
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as they did not include support for DynamicUser property.
Comment 17 Riccardo Schirone 2019-04-04 07:52:23 UTC 
Upstream patches:
https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c
https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b
https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
Comment 19 Riccardo Schirone 2019-04-26 08:26:40 UTC 
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
Comment 20 Riccardo Schirone 2019-04-26 08:41:18 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1703356]
Comment 21 Zbigniew Jędrzejewski-Szmek 2019-04-26 10:58:21 UTC 
https://github.com/systemd/systemd-stable/pull/54 contains a backport for v241-stable.
Comment 22 Riccardo Schirone 2019-04-26 13:38:59 UTC 
Acknowledgments:

Name: Jann Horn (Google Project Zero)
Comment 23 errata-xmlrpc 2020-04-28 15:53:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1794 https://access.redhat.com/errata/RHSA-2020:1794
Comment 24 Product Security DevOps Team 2020-04-28 16:32:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3843