Bug 1746057 (CVE-2019-15718)

Summary: CVE-2019-15718 systemd: systemd-resolved allows unprivileged users to configure DNS
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, bdettelb, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, jschorr, lnykryn, lpoetter, mchappel, msekleta, nstielau, security-response-team, sponnaga, ssahani, s, systemd-maint-list, systemd-maint, zbyszek, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd 243 Doc Type: If docs needed, set a value
Doc Text:
An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. An unprivileged local attacker could call all DBus methods, even when marked as privileged operations. An attacker could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC and other network link settings without any authorization, allowing control of the network names resolution process and cause the system to communicate with wrong or malicious servers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:53:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1746795, 1746857, 1748165, 1748767    
Bug Blocks: 1744600    

Description Riccardo Schirone 2019-08-27 14:50:25 UTC 
systemd-resolved does not properly enforce any access control to its dbus methods, allowing any unprivileged user to access its API. An attacker may use this flaw to configure the DNS, the Default Route or other properties of a network link. Those operations should be performed only by an high-privileged user.
Comment 1 Riccardo Schirone 2019-08-28 16:19:07 UTC 
The DBus interface exposed by systemd-resolved provides APIs to change the DNS servers, search domains, default route, DNSSEC and other properties of a link. However everybody can access those methods, thus allowing unprivileged users to force the usage of a rogue DNS server, disable DNSSEC or change the default route address. This could be used to hijack network traffic, abuse DNS resolution to redirect to malicious servers or have other effects on network connections.
Comment 2 Riccardo Schirone 2019-08-28 16:21:54 UTC 
Function bus_open_system_watch_bind_with_description() defined in bus-util.c and used by systemd-resolved to connect to the system bus, calls the sd_bus_set_trusted(bus, true) method which marks all connections on the bus as trusted and access to all privileged and unprivileged methods is granted.
Comment 3 Riccardo Schirone 2019-08-28 16:23:38 UTC 
On Red Hat Enterprise Linux 8 the DBus method org.freedesktop.resolve1.SetLinkDefaultRoute is not implemented, thus it is not possible for an attacker to abuse this flaw to change the default route of a link.
Comment 4 Riccardo Schirone 2019-08-28 21:11:06 UTC 
Mitigation:

Disable systemd-resolved service by using `sudo systemctl disable systemd-resolved`.
Comment 7 Riccardo Schirone 2019-08-29 12:57:23 UTC 
On Red Hat Enterprise Linux 8 systemd-resolved service is disabled by default so it is not possible to change any network link settings as an unprivileged user.
Comment 13 Sam Fowler 2019-09-03 03:48:25 UTC 
Statement:

This issue does not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the shipped systemd-resolved does not provide any privileged DBus method.
This issue does affect the versions of systemd as shipped with Red Hat Enterprise Linux 8, however the systemd-resolved service is not enabled by default, so the flaw cannot be exploited unless the service was manually enabled.

The flaw was rated as Moderate as it requires a local attacker and changing the DNS servers cannot compromise the system by itself, though it could be used for phishing attacks or to redirect the users to malicious websites. Moreover, on Red Hat Enterprise Linux 8 systemd-resolved needs to be manually enabled by an administrator to make the system vulnerable.

OpenShift Container Platform 4 includes a vulnerable version of systemd on RHEL CoreOS nodes. However, the systemd-resolved service is removed from RHEL CoreOS instances, making this vulnerability not exploitable. This flaw is rated Low for OpenShift Container Platform 4.
Comment 15 Riccardo Schirone 2019-09-04 07:13:14 UTC 
The complete upstream fix is at:
https://github.com/systemd/systemd/pull/13457

However the following commit is enough to address the vulnerability:
https://github.com/systemd/systemd/pull/13457/commits/35e528018f315798d3bffcb592b32a0d8f5162bd
Comment 16 Riccardo Schirone 2019-09-04 07:15:23 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1748767]
Comment 17 Riccardo Schirone 2019-09-04 12:44:58 UTC 
oss-security thread:
https://www.openwall.com/lists/oss-security/2019/09/03/1
Comment 18 errata-xmlrpc 2019-11-05 21:16:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3592 https://access.redhat.com/errata/RHSA-2019:3592
Comment 19 Product Security DevOps Team 2019-11-06 00:53:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15718
Comment 20 errata-xmlrpc 2019-11-21 09:55:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3941 https://access.redhat.com/errata/RHSA-2019:3941