systemd-networkd is vulnerable to an out out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.
The DHCPv6 client implemented in systemd-networkd does not correctly handle the size of the temporary buffer used to construct the packet that needs to be sent to the DHCPv6 server. In particular dhcp6-option.c:dhcp6_option_append_ia() causes an integer overflow that can be used to write beyond the limits of the temporary buffer.
RHEL 7 does not ship systemd-networkd by default but it is available in the @rhel-7-server-optional-rpms repository. Moreover, for the flaw to be exploitable, DHCPv6 should be explicitly enabled on the interface. Router Advertisement packets will not automatically start the DHCPv6 client.
Upstream patch: https://github.com/systemd/systemd/commit/4dac5eaba4e419b29c97da38a8b1f82336c2c892
Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1643362]
Acknowledgments: Name: Ubuntu Security Team Upstream: Felix Wilhelm (Google)
Created NetworkManager tracking bugs for this issue: Affects: fedora-all [bug 1643987]
NetworkManager upstream patch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=01ca2053bbea09f35b958c8cc7631e15469acb79
NetworkManager includes some parts of the systemd-networkd code in its codebase. That can be found at src/systemd/src/libsystemd-networkd. The DHCP implementation provided by systemd-networkd is used when NetworkManager is configured to use the internal implementation, however the default is to use dhclient. When NetworkManager is configured to use the internal dhcp and an interface is setup with ipv6.method=auto (which is the default value) or ipv6.method=dhcp, this flaw can be exploited. When using ipv6.method=auto, the DHCPv6 client can be automatically started with a Router Advertisement packet.
Hmmm, I think the statement misses one case. IIUC, the code in question can be triggered automatically upon reception of a Router Advertisement message, see the discussion under https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921/comments/11.
In case of the RHEL 7 systemd-networkd package the Router Advertisement packet does not automatically enable the DHCPv6 client, because it does not include commit https://github.com/systemd/systemd/commit/f5a8c43f39937d97c9ed75e3fe8621945b42b0db .
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3665 https://access.redhat.com/errata/RHSA-2018:3665
Statement: This issue affects the versions of systemd-networkd as shipped with Red Hat Enterprise Linux 7, however the package is available only through the unsupported Optional repository and it cannot be exploited unless the interface is explicitly configured to use DHCP. This issue affects the versions of NetworkManager as shipped with Red Hat Enterprise Linux 7 because the package includes some parts of the systemd-networkd code, which present the same vulnerability. NetworkManager is vulnerable to this flaw only when configured to use the internal DHCP, which is not the default. However, when it is, the flaw may be triggered by a connection where either ipv6.method is set to dhcp or it is set to auto, which is the default value.
Filed case #02290895 for systemd-networkd at the Red Hat customer portal.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0049
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-15688