Bug 1653867 (CVE-2018-16866) - CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message
Summary: CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message
Status: NEW
Alias: CVE-2018-16866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190109:1800,...
Keywords: Security
Depends On: 1657794 1664978 1664975
Blocks: 1653451
TreeView+ depends on / blocked
 
Reported: 2018-11-27 19:14 UTC by Laura Pardo
Modified: 2019-04-22 15:14 UTC (History)
38 users (show)

(edit)
An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-11-27 19:14:56 UTC
A flaw was found in systemd-journald. An out-of-bounds read when parsing a crafted syslog message that could lead to information disclosure.

Comment 1 Doran Moppert 2018-11-28 02:29:27 UTC
This vulnerability was introduced in systemd v221.

Comment 2 Laura Pardo 2018-11-28 13:21:46 UTC
Acknowledgments:

Name: Qualys Research Labs

Comment 3 Riccardo Schirone 2018-12-05 09:05:42 UTC
Function syslog_parse_identifier() in journald-syslog.c file does not properly parse the log string in case it ends with a ":", returning a pointer beyond the original string's limits. A local attacker may use this flaw to get disclose systemd-journal process memory and get an information leak.

Comment 5 Riccardo Schirone 2018-12-05 09:16:39 UTC
RHEL 7.6 ships systemd v219, but commit ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8 was backported, thus making it vulnerable to this flaw as well.

Comment 10 Zbigniew Jędrzejewski-Szmek 2018-12-10 13:48:56 UTC
This seems to be the same as https://github.com/systemd/systemd/issues/9829, fixed by https://github.com/systemd/systemd/commit/a6aadf4ae0. The provided reproducer does not work with git master.

Comment 13 Doran Moppert 2019-01-02 02:45:00 UTC
Statement:

This issue affects the versions of systemd as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Virtualization Hypervisor and Management Appliance include vulnerable versions of systemd. However, since exploitation requires local access and impact is restricted to information disclosure, this flaw is rated as having a security issue of Low. Future updates may address this issue.

Comment 14 Riccardo Schirone 2019-01-10 07:58:57 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1664975]

Comment 15 Riccardo Schirone 2019-01-10 07:59:31 UTC
External References:

https://www.qualys.com/2019/01/09/system-down/system-down.txt

Comment 19 sabyrzhan 2019-03-05 18:14:10 UTC
Please update the ETA of RHEL7 systemd errata for this CVE.

Comment 20 sabyrzhan 2019-03-11 16:29:57 UTC
Please update the ETA for RHEL7 systemd errata release.

Comment 21 Laura Pardo 2019-03-11 19:38:02 UTC
In reply to comment #20:
> Please update the ETA for RHEL7 systemd errata release.

I'm transferring this needinfo to the analyst in charge of this.

Comment 22 Riccardo Schirone 2019-03-14 09:08:59 UTC
We do not release updates on ETA for errata.


Note You need to log in before you can comment on or make changes to this bug.