Bug 1684610 (CVE-2019-3844) - CVE-2019-3844 systemd: services with DynamicUser can get new privileges and create SGID binaries
Summary: CVE-2019-3844 systemd: services with DynamicUser can get new privileges and c...
Keywords:
Status: NEW
Alias: CVE-2019-3844
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190425,repor...
Depends On: 1687513 1703357
Blocks: 1672544
TreeView+ depends on / blocked
 
Reported: 2019-03-01 16:08 UTC by Riccardo Schirone
Modified: 2019-06-08 23:53 UTC (History)
14 users (show)

Fixed In Version: systemd 242
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow a cooperating process to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the GID will be recycled.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Riccardo Schirone 2019-03-01 16:08:31 UTC
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

Comment 2 Riccardo Schirone 2019-03-05 13:33:22 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as they did not include support for DynamicUser property.

Comment 19 Riccardo Schirone 2019-04-26 08:41:29 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1703357]

Comment 20 Riccardo Schirone 2019-04-26 13:39:15 UTC
Acknowledgments:

Name: Jann Horn (Google Project Zero)


Note You need to log in before you can comment on or make changes to this bug.