Bug 1653867 (CVE-2018-16866) - CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message
Summary: CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1657794 1664975 1664978 1756868 1756869 1756870
Blocks: 1653451
TreeView+ depends on / blocked
 
Reported: 2018-11-27 19:14 UTC by Laura Pardo
Modified: 2019-10-29 14:02 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data.
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2091 None None None 2019-08-06 12:13:43 UTC
Red Hat Product Errata RHSA-2019:3222 None None None 2019-10-29 14:02:23 UTC

Description Laura Pardo 2018-11-27 19:14:56 UTC
A flaw was found in systemd-journald. An out-of-bounds read when parsing a crafted syslog message that could lead to information disclosure.

Comment 1 Doran Moppert 2018-11-28 02:29:27 UTC
This vulnerability was introduced in systemd v221.

Comment 2 Laura Pardo 2018-11-28 13:21:46 UTC
Acknowledgments:

Name: Qualys Research Labs

Comment 3 Riccardo Schirone 2018-12-05 09:05:42 UTC
Function syslog_parse_identifier() in journald-syslog.c file does not properly parse the log string in case it ends with a ":", returning a pointer beyond the original string's limits. A local attacker may use this flaw to get disclose systemd-journal process memory and get an information leak.

Comment 5 Riccardo Schirone 2018-12-05 09:16:39 UTC
RHEL 7.6 ships systemd v219, but commit ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8 was backported, thus making it vulnerable to this flaw as well.

Comment 10 Zbigniew Jędrzejewski-Szmek 2018-12-10 13:48:56 UTC
This seems to be the same as https://github.com/systemd/systemd/issues/9829, fixed by https://github.com/systemd/systemd/commit/a6aadf4ae0. The provided reproducer does not work with git master.

Comment 13 Doran Moppert 2019-01-02 02:45:00 UTC
Statement:

This issue affects the versions of systemd as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Virtualization Hypervisor and Management Appliance include vulnerable versions of systemd. However, since exploitation requires local access and impact is restricted to information disclosure, this flaw is rated as having a security issue of Low. Future updates may address this issue.

Comment 14 Riccardo Schirone 2019-01-10 07:58:57 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1664975]

Comment 15 Riccardo Schirone 2019-01-10 07:59:31 UTC
External References:

https://www.qualys.com/2019/01/09/system-down/system-down.txt

Comment 19 sabyrzhan 2019-03-05 18:14:10 UTC
Please update the ETA of RHEL7 systemd errata for this CVE.

Comment 20 sabyrzhan 2019-03-11 16:29:57 UTC
Please update the ETA for RHEL7 systemd errata release.

Comment 21 Laura Pardo 2019-03-11 19:38:02 UTC
In reply to comment #20:
> Please update the ETA for RHEL7 systemd errata release.

I'm transferring this needinfo to the analyst in charge of this.

Comment 22 Riccardo Schirone 2019-03-14 09:08:59 UTC
We do not release updates on ETA for errata.

Comment 23 errata-xmlrpc 2019-08-06 12:13:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2091 https://access.redhat.com/errata/RHSA-2019:2091

Comment 24 Product Security DevOps Team 2019-08-06 19:20:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16866

Comment 27 errata-xmlrpc 2019-10-29 14:02:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3222 https://access.redhat.com/errata/RHSA-2019:3222


Note You need to log in before you can comment on or make changes to this bug.