Bug 1794578 (CVE-2020-1712) - CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed
Summary: CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are pe...
Keywords:
Status: NEW
Alias: CVE-2020-1712
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1794787 1794788 1794789 1797499 1798414
Blocks: 1775281
TreeView+ depends on / blocked
 
Reported: 2020-01-23 20:55 UTC by Riccardo Schirone
Modified: 2020-02-05 17:54 UTC (History)
17 users (show)

Fixed In Version: systemd 245
Doc Type: If docs needed, set a value
Doc Text:
A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Riccardo Schirone 2020-01-23 20:55:51 UTC
systemd contains a heap use-after-free vulnerability due to the way asynchronous polkit queries are performed. The userdata that needs to be passed to the polkit callback is cached in the AsyncPolkitQuery structure, however when the callback is actually called, the object the userdata is pointing to may already have been released and re-used for other purposes. Local unprivileged attackers may abuse this flaw to crash systemd services or potentially execute code and elevate their privileges.

Comment 5 Riccardo Schirone 2020-01-27 12:08:55 UTC
This bug happens due to the way bus_verify_polkit_async() works. Some DBus interfaces use a cache to store objects for a short period and they clear it as soon as the bus is again in the idle state. However, if a DBus method uses an async function like bus_verify_polkit_async(), the method may have to wait a while until the polkit action is resolved and when that happens the DBus method is called again, with the userdata previously allocated. If the polkit requests takes a bit too long, the clearing of the cache would free the stored objects before the method is called the second time, causing the use-after-free vulnerability.

Comment 8 Riccardo Schirone 2020-01-27 16:21:58 UTC
At least systemd-machined service exposes a DBus API that is vulnerable to this flaw, because of the way Images are temporarily stored in a cache and because of some DBus methods like org.freedesktop.machine1.Image.Clone that performs asynchronous polkit queries which may trigger the use-after-free. The attack can be done by any unprivileged user as the interface org.freedesktop.machine1.Image is accessible by everybody.

Comment 9 Riccardo Schirone 2020-01-27 16:33:45 UTC
Usage of polkit to open up machined's commands to unprivileged user was done in upstream commit https://github.com/systemd/systemd/commit/70244d1d25eb80b57e160ea004d0e6bf793d4caf . This commit was first included in systemd v220.

Comment 10 Riccardo Schirone 2020-01-27 17:00:05 UTC
Vulnerable DBus methods have:
1) a "find" function for the associated object (e.g. image_object_find) that configures a temporary cache and setups a "defer_event" which frees the elements in the cache
2) a call to bus_verify_polkit_async() in the handler of the method (e.g. bus_image_method_clone)
3) SD_BUS_VTABLE_UNPRIVILEGED as one of the specified flags

Comment 11 Riccardo Schirone 2020-01-27 17:01:17 UTC
Acknowledgments:

Name: Tavis Ormandy (Google Project Zero)

Comment 15 Riccardo Schirone 2020-02-03 09:45:56 UTC
Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as there is no service that performs asynchronous polkit requests in a vulnerable way.

The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels.

Comment 16 Riccardo Schirone 2020-02-03 09:50:55 UTC
Red Hat Enterprise Linux 7 ships systemd v219, which does not have any service that uses bus_verify_polkit_async() while holding a temporary cache that is freed during a "defer_event". However, function bus_verify_polkit_async() does contain the vulnerable code even though the flaw is not reachable.

Comment 19 Riccardo Schirone 2020-02-05 10:01:26 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1798414]


Note You need to log in before you can comment on or make changes to this bug.