Bug 1639071 (CVE-2018-15686) - CVE-2018-15686 systemd: line splitting via fgets() allows for state injection during daemon-reexec
Summary: CVE-2018-15686 systemd: line splitting via fgets() allows for state injection...
Alias: CVE-2018-15686
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1641566 1643372 1643373 1756862 1756863 1756864 1786125 1786126
Blocks: 1639072
TreeView+ depends on / blocked
Reported: 2018-10-15 02:12 UTC by Sam Fowler
Modified: 2023-09-07 19:27 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that systemd is vulnerable to a state injection attack when deserializing the state of a service. Properties longer than LINE_MAX are not correctly parsed and an attacker may abuse this flaw in particularly configured services to inject, change, or corrupt the service state.
Clone Of:
Last Closed: 2019-08-06 19:19:53 UTC

Attachments (Terms of Use)
patch (5.62 MB, patch)
2020-04-24 02:57 UTC, ml516
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Launchpad 1796402 0 None None None Never
Red Hat Product Errata RHSA-2019:2091 0 None None None 2019-08-06 12:13:38 UTC
Red Hat Product Errata RHSA-2019:3222 0 None None None 2019-10-29 14:02:22 UTC
Red Hat Product Errata RHSA-2020:0593 0 None None None 2020-02-25 12:11:13 UTC
Red Hat Product Errata RHSA-2020:1264 0 None None None 2020-04-01 08:32:58 UTC

Description Sam Fowler 2018-10-15 02:12:59 UTC
systemd is vulnerable to line splitting via long lines read by fgets() in the unit_deserialize() function during daemon-reexec (e.g. during a package upgrade) allowing for state injection. Systemd services with `NotifyAccess != none` and malicious executables can exploit this vulnerability resulting corrupted process state.

Comment 1 Riccardo Schirone 2018-10-22 08:19:35 UTC
When systemd re-executes, the state is serialized and then deserialized after the re-execution. Function unit_deserialize() in file unit.c does not properly handle lines longer than LINE_MAX and the content of a property longer than that is parsed as part of the serialized state, allowing an attacker to corrupt the state of the service (e.g. change the main-pid, control-pid, etc.)

Comment 2 Riccardo Schirone 2018-10-22 08:22:53 UTC
Systemd services with `NotifyAccess != none` can send a status message to systemd, which stores it in the `status-text` property and, in turn, it may trigger the vulnerability. However, this may not be the only way to exploit this flaw. Any other way to set a serialized property to a value longer than LINE_MAX may trigger the flaw as well.

Comment 5 Riccardo Schirone 2018-10-26 06:28:16 UTC
Patch currently under review at:

Comment 6 Riccardo Schirone 2018-10-26 06:31:30 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1643372]

Comment 8 Riccardo Schirone 2018-10-29 07:03:23 UTC

Name: Ubuntu, Jann Horn (Google Project Zero)

Comment 9 Riccardo Schirone 2018-10-31 07:51:13 UTC
Upstream patch:

Comment 10 nupur priya 2019-02-26 04:24:25 UTC
By when shall we expect the official release??

Comment 11 errata-xmlrpc 2019-08-06 12:13:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2091 https://access.redhat.com/errata/RHSA-2019:2091

Comment 12 Product Security DevOps Team 2019-08-06 19:19:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 15 errata-xmlrpc 2019-10-29 14:02:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3222 https://access.redhat.com/errata/RHSA-2019:3222

Comment 17 errata-xmlrpc 2020-02-25 12:11:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0593 https://access.redhat.com/errata/RHSA-2020:0593

Comment 18 errata-xmlrpc 2020-04-01 08:32:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1264 https://access.redhat.com/errata/RHSA-2020:1264

Comment 19 ml516 2020-04-24 02:57:48 UTC
Created attachment 1681334 [details]

Note You need to log in before you can comment on or make changes to this bug.