Bug 1639071 (CVE-2018-15686) - CVE-2018-15686 systemd: line splitting via fgets() allows for state injection during daemon-reexec
Summary: CVE-2018-15686 systemd: line splitting via fgets() allows for state injection...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-15686
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181026,repor...
Depends On: 1641566 1643372 1643373
Blocks: 1639072
TreeView+ depends on / blocked
 
Reported: 2018-10-15 02:12 UTC by Sam Fowler
Modified: 2019-08-06 19:19 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that systemd is vulnerable to a state injection attack when deserializing the state of a service. Properties longer than LINE_MAX are not correctly parsed and an attacker may abuse this flaw in particularly configured services to inject, change, or corrupt the service state.
Clone Of:
Environment:
Last Closed: 2019-08-06 19:19:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2091 None None None 2019-08-06 12:13:38 UTC
Launchpad 1796402 None None None Never

Description Sam Fowler 2018-10-15 02:12:59 UTC
systemd is vulnerable to line splitting via long lines read by fgets() in the unit_deserialize() function during daemon-reexec (e.g. during a package upgrade) allowing for state injection. Systemd services with `NotifyAccess != none` and malicious executables can exploit this vulnerability resulting corrupted process state.

Comment 1 Riccardo Schirone 2018-10-22 08:19:35 UTC
When systemd re-executes, the state is serialized and then deserialized after the re-execution. Function unit_deserialize() in file unit.c does not properly handle lines longer than LINE_MAX and the content of a property longer than that is parsed as part of the serialized state, allowing an attacker to corrupt the state of the service (e.g. change the main-pid, control-pid, etc.)

Comment 2 Riccardo Schirone 2018-10-22 08:22:53 UTC
Systemd services with `NotifyAccess != none` can send a status message to systemd, which stores it in the `status-text` property and, in turn, it may trigger the vulnerability. However, this may not be the only way to exploit this flaw. Any other way to set a serialized property to a value longer than LINE_MAX may trigger the flaw as well.

Comment 5 Riccardo Schirone 2018-10-26 06:28:16 UTC
Patch currently under review at:
https://github.com/systemd/systemd/pull/10519

Comment 6 Riccardo Schirone 2018-10-26 06:31:30 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1643372]

Comment 8 Riccardo Schirone 2018-10-29 07:03:23 UTC
Acknowledgments:

Name: Ubuntu, Jann Horn (Google Project Zero)

Comment 9 Riccardo Schirone 2018-10-31 07:51:13 UTC
Upstream patch:
https://github.com/systemd/systemd/commit/9f1c81d80a435d15ca1bd536a6d043c18c81c047

Comment 10 nupur priya 2019-02-26 04:24:25 UTC
By when shall we expect the official release??

Comment 11 errata-xmlrpc 2019-08-06 12:13:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2091 https://access.redhat.com/errata/RHSA-2019:2091

Comment 12 Product Security DevOps Team 2019-08-06 19:19:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-15686


Note You need to log in before you can comment on or make changes to this bug.