Bug 1684610 (CVE-2019-3844) - CVE-2019-3844 systemd: services with DynamicUser can get new privileges and create SGID binaries
Summary: CVE-2019-3844 systemd: services with DynamicUser can get new privileges and c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3844
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1687512 1687513 1703357
Blocks: 1672544
TreeView+ depends on / blocked
 
Reported: 2019-03-01 16:08 UTC by Riccardo Schirone
Modified: 2020-04-28 16:32 UTC (History)
15 users (show)

Fixed In Version: systemd 242
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow a cooperating process to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the GID will be recycled.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:32:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1794 None None None 2020-04-28 15:53:33 UTC

Description Riccardo Schirone 2019-03-01 16:08:31 UTC
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

Comment 2 Riccardo Schirone 2019-03-05 13:33:22 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as they did not include support for DynamicUser property.

Comment 19 Riccardo Schirone 2019-04-26 08:41:29 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1703357]

Comment 20 Riccardo Schirone 2019-04-26 13:39:15 UTC
Acknowledgments:

Name: Jann Horn (Google Project Zero)

Comment 23 mathangi.shankar 2020-03-02 09:35:56 UTC
Hello,

  I am encountering this bug, on SAS Viya server installed on Red Hat Linux 7.6. Can you please suggest what is the fix for this issue?

Thanks in advance,
Mathangi

Comment 24 errata-xmlrpc 2020-04-28 15:53:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1794 https://access.redhat.com/errata/RHSA-2020:1794

Comment 25 Product Security DevOps Team 2020-04-28 16:32:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3844


Note You need to log in before you can comment on or make changes to this bug.