Bug 1639067 (CVE-2018-15688) - CVE-2018-15688 systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling
Summary: CVE-2018-15688 systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 o...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-15688
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1641580 1641581 1643362 1643363 1643984 1643985 1643986 1643987
Blocks: 1639068
TreeView+ depends on / blocked
 
Reported: 2018-10-15 01:41 UTC by Sam Fowler
Modified: 2019-09-29 15:00 UTC (History)
40 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:06:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3665 None None None 2018-11-27 01:20:29 UTC
Launchpad 1795921 None None None Never
Red Hat Product Errata RHSA-2019:0049 None None None 2019-01-14 12:29:44 UTC

Description Sam Fowler 2018-10-15 01:41:36 UTC
systemd-networkd is vulnerable to an out out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.

Comment 1 Riccardo Schirone 2018-10-19 07:25:50 UTC
The DHCPv6 client implemented in systemd-networkd does not correctly handle the size of the temporary buffer used to construct the packet that needs to be sent to the DHCPv6 server. In particular dhcp6-option.c:dhcp6_option_append_ia() causes an integer overflow that can be used to write beyond the limits of the temporary buffer.

Comment 2 Riccardo Schirone 2018-10-19 07:52:40 UTC
RHEL 7 does not ship systemd-networkd by default but it is available in the @rhel-7-server-optional-rpms repository. Moreover, for the flaw to be exploitable, DHCPv6 should be explicitly enabled on the interface. Router Advertisement packets will not automatically start the DHCPv6 client.

Comment 6 Riccardo Schirone 2018-10-26 06:15:50 UTC
Upstream patch:
https://github.com/systemd/systemd/commit/4dac5eaba4e419b29c97da38a8b1f82336c2c892

Comment 7 Riccardo Schirone 2018-10-26 06:19:06 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1643362]

Comment 9 Riccardo Schirone 2018-10-26 07:35:44 UTC
Acknowledgments:

Name: Ubuntu Security Team
Upstream: Felix Wilhelm (Google)

Comment 12 Riccardo Schirone 2018-10-29 16:44:41 UTC
Created NetworkManager tracking bugs for this issue:

Affects: fedora-all [bug 1643987]

Comment 15 Riccardo Schirone 2018-10-29 16:58:27 UTC
NetworkManager includes some parts of the systemd-networkd code in its codebase. That can be found at src/systemd/src/libsystemd-networkd. The DHCP implementation provided by systemd-networkd is used when NetworkManager is configured to use the internal implementation, however the default is to use dhclient.

When NetworkManager is configured to use the internal dhcp and an interface is setup with ipv6.method=auto (which is the default value) or ipv6.method=dhcp, this flaw can be exploited. When using ipv6.method=auto, the DHCPv6 client can be automatically started with a Router Advertisement packet.

Comment 17 Zbigniew Jędrzejewski-Szmek 2018-11-01 15:46:26 UTC
Hmmm, I think the statement misses one case. IIUC, the code in question can be triggered automatically upon reception of a Router Advertisement message, see the discussion under https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921/comments/11.

Comment 18 Riccardo Schirone 2018-11-02 08:29:33 UTC
In case of the RHEL 7 systemd-networkd package the Router Advertisement packet does not automatically enable the DHCPv6 client, because it does not include commit https://github.com/systemd/systemd/commit/f5a8c43f39937d97c9ed75e3fe8621945b42b0db .

Comment 19 errata-xmlrpc 2018-11-27 01:20:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3665 https://access.redhat.com/errata/RHSA-2018:3665

Comment 20 Doran Moppert 2018-11-27 23:22:27 UTC
Statement:

This issue affects the versions of systemd-networkd as shipped with Red Hat Enterprise Linux 7, however the package is available only through the unsupported Optional repository and it cannot be exploited unless the interface is explicitly configured to use DHCP.

This issue affects the versions of NetworkManager as shipped with Red Hat Enterprise Linux 7 because the package includes some parts of the systemd-networkd code, which present the same vulnerability. NetworkManager is vulnerable to this flaw only when configured to use the internal DHCP, which is not the default. However, when it is, the flaw may be triggered by a connection where either ipv6.method is set to dhcp or it is set to auto, which is the default value.

Comment 21 Robert Scheck 2019-01-14 00:51:48 UTC
Filed case #02290895 for systemd-networkd at the Red Hat customer portal.

Comment 22 errata-xmlrpc 2019-01-14 12:29:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0049

Comment 23 Product Security DevOps Team 2019-07-12 13:06:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-15688


Note You need to log in before you can comment on or make changes to this bug.