Bug 1639076 (CVE-2018-15687) - CVE-2018-15687 systemd: Dereference of symlinks in chown_recursive.c:chown_one() allows for modification of file privileges
Summary: CVE-2018-15687 systemd: Dereference of symlinks in chown_recursive.c:chown_on...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-15687
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1643367 1643368
Blocks: 1639078
TreeView+ depends on / blocked
 
Reported: 2018-10-15 02:35 UTC by Sam Fowler
Modified: 2019-09-29 15:00 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:06:04 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1796692 None None None Never

Description Sam Fowler 2018-10-15 02:35:14 UTC
systemd is vulnerable to improper dereference of symlinks in the core/chown_recursive.c:chown_one() function. An attacker with local access can exploit this via services with certain configurations to modify the file permissions of arbitrary files.

Comment 1 Riccardo Schirone 2018-10-22 07:18:52 UTC
When using systemd's features CacheDirectory, LogsDirectory or StateDirectory together with the DynamicUser feature, systemd needs to recursively change ownership of those directories. While doing this, when the file is not a link the file mode is re-set to be sure the kernel doesn't change it (which could happen with SUID/SGID files), but an attacker may be able to bypass the link check and change the mode of any file in the filesystem.

Comment 2 Riccardo Schirone 2018-10-22 07:43:57 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the vulnerable code was introduced in a newer version of the package.

Comment 3 Riccardo Schirone 2018-10-26 06:22:43 UTC
Patch currently under review at:
https://github.com/systemd/systemd/pull/10517

Comment 4 Riccardo Schirone 2018-10-26 06:24:23 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1643367]

Comment 6 Riccardo Schirone 2018-10-29 07:02:35 UTC
Acknowledgments:

Name: Ubuntu, Jann Horn (Google Project Zero)

Comment 7 Riccardo Schirone 2018-10-31 07:54:06 UTC
Upstream patch:
https://github.com/systemd/systemd/commit/dc81f52c4d07de0c24f16edf889120780d9ae734

Comment 8 Product Security DevOps Team 2019-07-12 13:06:04 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-15687


Note You need to log in before you can comment on or make changes to this bug.