Bug 1794578 (CVE-2020-1712)

Summary: CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bmontgom, dfreiber, eparis, jburrell, jokerman, jsynacek, lnykryn, lpoetter, msekleta, nstielau, rogbas, security-response-team, sponnaga, ssahani, s, systemd-maint-list, systemd-maint, vkumar, zbyszek, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd 245 Doc Type: If docs needed, set a value
Doc Text:
A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-21 03:49:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1794787, 1794788, 1794789, 1797499, 1798414    
Bug Blocks: 1775281    

Description Riccardo Schirone 2020-01-23 20:55:51 UTC 
systemd contains a heap use-after-free vulnerability due to the way asynchronous polkit queries are performed. The userdata that needs to be passed to the polkit callback is cached in the AsyncPolkitQuery structure, however when the callback is actually called, the object the userdata is pointing to may already have been released and re-used for other purposes. Local unprivileged attackers may abuse this flaw to crash systemd services or potentially execute code and elevate their privileges.
Comment 5 Riccardo Schirone 2020-01-27 12:08:55 UTC 
This bug happens due to the way bus_verify_polkit_async() works. Some DBus interfaces use a cache to store objects for a short period and they clear it as soon as the bus is again in the idle state. However, if a DBus method uses an async function like bus_verify_polkit_async(), the method may have to wait a while until the polkit action is resolved and when that happens the DBus method is called again, with the userdata previously allocated. If the polkit requests takes a bit too long, the clearing of the cache would free the stored objects before the method is called the second time, causing the use-after-free vulnerability.
Comment 8 Riccardo Schirone 2020-01-27 16:21:58 UTC 
At least systemd-machined service exposes a DBus API that is vulnerable to this flaw, because of the way Images are temporarily stored in a cache and because of some DBus methods like org.freedesktop.machine1.Image.Clone that performs asynchronous polkit queries which may trigger the use-after-free. The attack can be done by any unprivileged user as the interface org.freedesktop.machine1.Image is accessible by everybody.
Comment 9 Riccardo Schirone 2020-01-27 16:33:45 UTC 
Usage of polkit to open up machined's commands to unprivileged user was done in upstream commit https://github.com/systemd/systemd/commit/70244d1d25eb80b57e160ea004d0e6bf793d4caf . This commit was first included in systemd v220.
Comment 10 Riccardo Schirone 2020-01-27 17:00:05 UTC 
Vulnerable DBus methods have:
1) a "find" function for the associated object (e.g. image_object_find) that configures a temporary cache and setups a "defer_event" which frees the elements in the cache
2) a call to bus_verify_polkit_async() in the handler of the method (e.g. bus_image_method_clone)
3) SD_BUS_VTABLE_UNPRIVILEGED as one of the specified flags
Comment 11 Riccardo Schirone 2020-01-27 17:01:17 UTC 
Acknowledgments:

Name: Tavis Ormandy (Google Project Zero)
Comment 15 Riccardo Schirone 2020-02-03 09:45:56 UTC 
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as there is no service that performs asynchronous polkit requests in a vulnerable way.

The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels.
Comment 16 Riccardo Schirone 2020-02-03 09:50:55 UTC 
Red Hat Enterprise Linux 7 ships systemd v219, which does not have any service that uses bus_verify_polkit_async() while holding a temporary cache that is freed during a "defer_event". However, function bus_verify_polkit_async() does contain the vulnerable code even though the flaw is not reachable.
Comment 18 Riccardo Schirone 2020-02-05 09:37:00 UTC 
Upstream fix:
https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2

In particular, the following commits prevent the flaw:
https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54
https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb
https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d
Comment 19 Riccardo Schirone 2020-02-05 10:01:26 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1798414]
Comment 21 errata-xmlrpc 2020-02-20 22:07:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0564 https://access.redhat.com/errata/RHSA-2020:0564
Comment 22 Product Security DevOps Team 2020-02-21 03:49:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1712
Comment 23 errata-xmlrpc 2020-02-24 12:22:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0575 https://access.redhat.com/errata/RHSA-2020:0575