systemd contains a heap use-after-free vulnerability due to the way asynchronous polkit queries are performed. The userdata that needs to be passed to the polkit callback is cached in the AsyncPolkitQuery structure, however when the callback is actually called, the object the userdata is pointing to may already have been released and re-used for other purposes. Local unprivileged attackers may abuse this flaw to crash systemd services or potentially execute code and elevate their privileges.
This bug happens due to the way bus_verify_polkit_async() works. Some DBus interfaces use a cache to store objects for a short period and they clear it as soon as the bus is again in the idle state. However, if a DBus method uses an async function like bus_verify_polkit_async(), the method may have to wait a while until the polkit action is resolved and when that happens the DBus method is called again, with the userdata previously allocated. If the polkit requests takes a bit too long, the clearing of the cache would free the stored objects before the method is called the second time, causing the use-after-free vulnerability.
At least systemd-machined service exposes a DBus API that is vulnerable to this flaw, because of the way Images are temporarily stored in a cache and because of some DBus methods like org.freedesktop.machine1.Image.Clone that performs asynchronous polkit queries which may trigger the use-after-free. The attack can be done by any unprivileged user as the interface org.freedesktop.machine1.Image is accessible by everybody.
Usage of polkit to open up machined's commands to unprivileged user was done in upstream commit https://github.com/systemd/systemd/commit/70244d1d25eb80b57e160ea004d0e6bf793d4caf . This commit was first included in systemd v220.
Vulnerable DBus methods have: 1) a "find" function for the associated object (e.g. image_object_find) that configures a temporary cache and setups a "defer_event" which frees the elements in the cache 2) a call to bus_verify_polkit_async() in the handler of the method (e.g. bus_image_method_clone) 3) SD_BUS_VTABLE_UNPRIVILEGED as one of the specified flags
Acknowledgments: Name: Tavis Ormandy (Google Project Zero)
Statement: This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as there is no service that performs asynchronous polkit requests in a vulnerable way. The version of systemd delivered in OpenShift Container Platform 4.1 and included in CoreOS images has been superseded by the version delivered in Red Hat Enterprise Linux 8. CoreOS updates for systemd in will be consumed from Red Hat Enterprise Linux 8 channels.
Red Hat Enterprise Linux 7 ships systemd v219, which does not have any service that uses bus_verify_polkit_async() while holding a temporary cache that is freed during a "defer_event". However, function bus_verify_polkit_async() does contain the vulnerable code even though the flaw is not reachable.
Upstream fix: https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 In particular, the following commits prevent the flaw: https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d
Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1798414]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0564 https://access.redhat.com/errata/RHSA-2020:0564
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1712
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0575 https://access.redhat.com/errata/RHSA-2020:0575