Bug 1653855 (CVE-2018-16864) - CVE-2018-16864 systemd: stack overflow when calling syslog from a command with long cmdline
Summary: CVE-2018-16864 systemd: stack overflow when calling syslog from a command wit...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16864
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190109:1800...
Depends On: 1657788 1657789 1659838 1662792 1662793 1664972 1664976 1666015 1666016 1724850
Blocks: 1653451
TreeView+ depends on / blocked
 
Reported: 2018-11-27 18:46 UTC by Laura Pardo
Modified: 2019-08-07 11:36 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate privileges.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:43:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0049 None None None 2019-01-14 12:29:45 UTC
Red Hat Product Errata RHSA-2019:0204 None None None 2019-01-29 16:07:28 UTC
Red Hat Product Errata RHSA-2019:0271 None None None 2019-02-04 22:45:12 UTC
Red Hat Product Errata RHSA-2019:0342 None None None 2019-02-13 15:33:51 UTC
Red Hat Product Errata RHSA-2019:0361 None None None 2019-02-18 15:25:00 UTC
Red Hat Product Errata RHSA-2019:2402 None None None 2019-08-07 11:36:05 UTC

Description Laura Pardo 2018-11-27 18:46:17 UTC
A flaw was found in systemd-journald. A stack buffer overflow when passing several MB of arguments to a program calling syslog function. This can lead to a denial of service attack or arbitrary code execution in some cases.

Comment 1 Doran Moppert 2018-11-28 02:23:55 UTC
This boils down to a large alloca(), making it possible to jump the stack pointer into the heap and corrupt the heap region (a "Stack Clash" attack).  Since the alloca()ed region is completely written, this will eventually lead to a crash.

The reporters describe achieving code execution by combining the attack with a thread race inside journald, with careful timing they are able to attack the stack of a neighbouring thread which will return to the attacker's pointer before the crash occurs.

Comment 2 Doran Moppert 2018-11-28 02:25:23 UTC
Some restriction is placed on this attack by get_process_cmdline() substituting ' ' for all non-printable characters; this makes code execution more difficult to achieve.

Comment 3 Doran Moppert 2018-11-28 02:30:39 UTC
This vulnerability was introduced in systemd v203.

Comment 4 Laura Pardo 2018-11-28 13:20:51 UTC
Acknowledgments:

Name: Qualys Research Labs

Comment 6 Riccardo Schirone 2018-11-29 14:00:30 UTC
Function dispatch_message_real() in journal/journald-server.c constructs a record to write to the journal by converting each field to a string with the format "<field-name>=<field-value". Such strings are constructed by using the strjoina() function defined in basic/string-util.h, which allocates the resulting string on the stack with alloca(). If an attacker is able to make the stack clash with another memory region by providing a large attacker-controlled string, it is possible to overwrite the other region's data, causing crashes or possibly gaining code execution.

In this particular case, a process may have a big cmdline (as read from /proc/<pid>/cmdline) that could clash the stack and crash systemd-journald or gain code execution from within systemd-journald's context.

Comment 9 Riccardo Schirone 2018-12-03 12:24:54 UTC
If systemd is compiled with -fstack-clash-protection flag, like in Fedora 28/29, the flaw is not exploitable because stack clashing is prevented.

Comment 11 Riccardo Schirone 2018-12-03 13:35:27 UTC
Small fix to comment 0 (stack buffer overflow vs stack overflow)

> A flaw was found in systemd-journald. A stack buffer overflow when passing several MB of arguments to a program calling syslog function.

A stack overflow flaw was found in systemd-journald when passing several MB of arguments to a program calling syslog() function.

Comment 15 Riccardo Schirone 2018-12-11 14:02:25 UTC
Statement:

This issue affects the versions of systemd as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Important because it allows a local attacker to crash systemd-journald or escalate his privileges. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 20 Riccardo Schirone 2019-01-10 07:56:08 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1664972]

Comment 21 Riccardo Schirone 2019-01-10 07:59:18 UTC
External References:

https://www.qualys.com/2019/01/09/system-down/system-down.txt

Comment 24 errata-xmlrpc 2019-01-14 12:29:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0049

Comment 26 errata-xmlrpc 2019-01-29 16:07:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:0204 https://access.redhat.com/errata/RHSA-2019:0204

Comment 27 Riccardo Schirone 2019-02-04 08:46:39 UTC
Mitigation:

To increase the time an attacker needs to exploit this flaw you could override the `StartLimitInterval=` (called StartLimitIntervalSec in newer systemd versions) and `StartLimitBurst=` settings. In this way the attack may require much longer to be successful.

To edit the journald service use `sudo systemctl edit systemd-journald.service` and add:
```
[Service]
StartLimitInterval=120
StartLimitBurst=3
```

Comment 28 errata-xmlrpc 2019-02-04 22:45:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:0271 https://access.redhat.com/errata/RHSA-2019:0271

Comment 29 errata-xmlrpc 2019-02-13 15:33:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0342 https://access.redhat.com/errata/RHSA-2019:0342

Comment 30 errata-xmlrpc 2019-02-18 15:24:58 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0361 https://access.redhat.com/errata/RHSA-2019:0361

Comment 32 errata-xmlrpc 2019-08-07 11:36:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2019:2402 https://access.redhat.com/errata/RHSA-2019:2402


Note You need to log in before you can comment on or make changes to this bug.