Bug 1684610 (CVE-2019-3844)

Summary: CVE-2019-3844 systemd: services with DynamicUser can get new privileges and create SGID binaries
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, dbaker, jokerman, lnykryn, lpoetter, mathangi.shankar, msekleta, security-response-team, s, sthangav, systemd-maint-list, systemd-maint, trankin, zbyszek, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd 242 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow a cooperating process to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the GID will be recycled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:32:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1687512, 1687513, 1703357    
Bug Blocks: 1672544    

Description Riccardo Schirone 2019-03-01 16:08:31 UTC 
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
Comment 2 Riccardo Schirone 2019-03-05 13:33:22 UTC 
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as they did not include support for DynamicUser property.
Comment 16 Riccardo Schirone 2019-04-04 07:52:56 UTC 
Upstream patch:
https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
Comment 18 Riccardo Schirone 2019-04-26 08:26:32 UTC 
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
Comment 19 Riccardo Schirone 2019-04-26 08:41:29 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1703357]
Comment 20 Riccardo Schirone 2019-04-26 13:39:15 UTC 
Acknowledgments:

Name: Jann Horn (Google Project Zero)
Comment 23 mathangi.shankar 2020-03-02 09:35:56 UTC 
Hello,

  I am encountering this bug, on SAS Viya server installed on Red Hat Linux 7.6. Can you please suggest what is the fix for this issue?

Thanks in advance,
Mathangi
Comment 24 errata-xmlrpc 2020-04-28 15:53:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1794 https://access.redhat.com/errata/RHSA-2020:1794
Comment 25 Product Security DevOps Team 2020-04-28 16:32:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3844