It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
Statement: This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as they did not include support for DynamicUser property.
Upstream patch: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1703357]
Acknowledgments: Name: Jann Horn (Google Project Zero)
Hello, I am encountering this bug, on SAS Viya server installed on Red Hat Linux 7.6. Can you please suggest what is the fix for this issue? Thanks in advance, Mathangi
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1794 https://access.redhat.com/errata/RHSA-2020:1794
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3844