Bug 1746057 (CVE-2019-15718) - CVE-2019-15718 systemd: systemd-resolved allows unprivileged users to configure DNS
Summary: CVE-2019-15718 systemd: systemd-resolved allows unprivileged users to configu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15718
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1746795 1746857 1748165 1748767
Blocks: 1744600
TreeView+ depends on / blocked
 
Reported: 2019-08-27 14:50 UTC by Riccardo Schirone
Modified: 2019-11-21 09:55 UTC (History)
24 users (show)

Fixed In Version: systemd 243
Doc Type: If docs needed, set a value
Doc Text:
An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. An unprivileged local attacker could call all DBus methods, even when marked as privileged operations. An attacker could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC and other network link settings without any authorization, allowing control of the network names resolution process and cause the system to communicate with wrong or malicious servers.
Clone Of:
Environment:
Last Closed: 2019-11-06 00:53:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3592 None None None 2019-11-05 21:16:38 UTC
Red Hat Product Errata RHSA-2019:3941 None None None 2019-11-21 09:55:34 UTC
Gitlab systemd-security/systemd/merge_requests/5/ None None None 2019-08-27 20:25:51 UTC

Description Riccardo Schirone 2019-08-27 14:50:25 UTC
systemd-resolved does not properly enforce any access control to its dbus methods, allowing any unprivileged user to access its API. An attacker may use this flaw to configure the DNS, the Default Route or other properties of a network link. Those operations should be performed only by an high-privileged user.

Comment 1 Riccardo Schirone 2019-08-28 16:19:07 UTC
The DBus interface exposed by systemd-resolved provides APIs to change the DNS servers, search domains, default route, DNSSEC and other properties of a link. However everybody can access those methods, thus allowing unprivileged users to force the usage of a rogue DNS server, disable DNSSEC or change the default route address. This could be used to hijack network traffic, abuse DNS resolution to redirect to malicious servers or have other effects on network connections.

Comment 2 Riccardo Schirone 2019-08-28 16:21:54 UTC
Function bus_open_system_watch_bind_with_description() defined in bus-util.c and used by systemd-resolved to connect to the system bus, calls the sd_bus_set_trusted(bus, true) method which marks all connections on the bus as trusted and access to all privileged and unprivileged methods is granted.

Comment 3 Riccardo Schirone 2019-08-28 16:23:38 UTC
On Red Hat Enterprise Linux 8 the DBus method org.freedesktop.resolve1.SetLinkDefaultRoute is not implemented, thus it is not possible for an attacker to abuse this flaw to change the default route of a link.

Comment 4 Riccardo Schirone 2019-08-28 21:11:06 UTC
Mitigation:

Disable systemd-resolved service by using `sudo systemctl disable systemd-resolved`.

Comment 7 Riccardo Schirone 2019-08-29 12:57:23 UTC
On Red Hat Enterprise Linux 8 systemd-resolved service is disabled by default so it is not possible to change any network link settings as an unprivileged user.

Comment 13 Sam Fowler 2019-09-03 03:48:25 UTC
Statement:

This issue does not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the shipped systemd-resolved does not provide any privileged DBus method.
This issue does affect the versions of systemd as shipped with Red Hat Enterprise Linux 8, however the systemd-resolved service is not enabled by default, so the flaw cannot be exploited unless the service was manually enabled.

The flaw was rated as Moderate as it requires a local attacker and changing the DNS servers cannot compromise the system by itself, though it could be used for phishing attacks or to redirect the users to malicious websites. Moreover, on Red Hat Enterprise Linux 8 systemd-resolved needs to be manually enabled by an administrator to make the system vulnerable.

OpenShift Container Platform 4 includes a vulnerable version of systemd on RHEL CoreOS nodes. However, the systemd-resolved service is removed from RHEL CoreOS instances, making this vulnerability not exploitable. This flaw is rated Low for OpenShift Container Platform 4.

Comment 15 Riccardo Schirone 2019-09-04 07:13:14 UTC
The complete upstream fix is at:
https://github.com/systemd/systemd/pull/13457

However the following commit is enough to address the vulnerability:
https://github.com/systemd/systemd/pull/13457/commits/35e528018f315798d3bffcb592b32a0d8f5162bd

Comment 16 Riccardo Schirone 2019-09-04 07:15:23 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1748767]

Comment 17 Riccardo Schirone 2019-09-04 12:44:58 UTC
oss-security thread:
https://www.openwall.com/lists/oss-security/2019/09/03/1

Comment 18 errata-xmlrpc 2019-11-05 21:16:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3592 https://access.redhat.com/errata/RHSA-2019:3592

Comment 19 Product Security DevOps Team 2019-11-06 00:53:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15718

Comment 20 errata-xmlrpc 2019-11-21 09:55:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3941 https://access.redhat.com/errata/RHSA-2019:3941


Note You need to log in before you can comment on or make changes to this bug.