Arch Linux Security Advisory ASA-201811-11
=========================================
Severity: Critical
Date    : 2018-11-07
CVE-ID  : CVE-2018-15686 CVE-2018-15687 CVE-2018-15688
Package : systemd
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-789

Summary
======
The package systemd before version 239.300-1 is vulnerable to multiple
issues including arbitrary code execution and privilege escalation.

Resolution
=========
Upgrade to 239.300-1.

# pacman -Syu "systemd>=239.300-1"

The problems have been fixed upstream in version 239.300.

Workaround
=========
- CVE-2018-15688

Disable IPv6 by setting either LinkLocalAddressing=ipv4 or
LinkLocalAddressing=no in the corresponding network configuration file.

Description
==========
- CVE-2018-15686 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where the use of fgets() allows an attacker to escalate privilege via a
crafted service with NotifyAccess.

- CVE-2018-15687 (privilege escalation)

A security issue has been found in systemd up to and including 239,
where a race condition in the chown_one() function can be used to
escalate privileges via a crafted symlink.

- CVE-2018-15688 (arbitrary code execution)

An out-of-bounds write has been found in the dhcpv6 option handing code
of systemd-networkd up to and including v239.

It was discovered that systemd-network does not correctly keep track of
a buffer size  in the dhcp6_option_append_ia() function, when
constructing DHCPv6 packets. This flaw may lead to an integer underflow
that can be used to produce an heap-based buffer overflow. A malicious
host on the same network segment as the victim's one may advertise
itself as a DHCPv6 server and exploit this flaw to cause a Denial of
Service or potentially gain code execution on the victim's machine. The
overflow can be triggered relatively easy by advertising a DHCPv6
server with a server-id >= 493 characters long.

Impact
=====
A remote attacker is able to cause arbitrary code execution by
advertising itself as a DHCPv6 server with a specially crafted server-
id. A local attacker can escalate privileges with a specially crafted
service or a crafted symlink.

References
=========
https://bugs.archlinux.org/task/60609
https://bugs.chromium.org/p/project-zero/issues/detail?id=1687
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402
https://github.com/systemd/systemd/pull/10447
https://github.com/systemd/systemd/pull/10450
https://bugs.chromium.org/p/project-zero/issues/detail?id=1689
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796692
https://github.com/systemd/systemd/pull/10517
https://bugs.launchpad.net/ubuntu/%2Bsource/systemd/%2Bbug/1795921
https://github.com/systemd/systemd/pull/10518
https://github.com/poettering/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20
https://security.archlinux.org/CVE-2018-15686
https://security.archlinux.org/CVE-2018-15687
https://security.archlinux.org/CVE-2018-15688

ArchLinux: 201811-11: systemd: multiple issues

November 11, 2018

Summary

- CVE-2018-15686 (privilege escalation) A security issue has been found in systemd up to and including 239, where the use of fgets() allows an attacker to escalate privilege via a crafted service with NotifyAccess.
- CVE-2018-15687 (privilege escalation)
A security issue has been found in systemd up to and including 239, where a race condition in the chown_one() function can be used to escalate privileges via a crafted symlink.
- CVE-2018-15688 (arbitrary code execution)
An out-of-bounds write has been found in the dhcpv6 option handing code of systemd-networkd up to and including v239.
It was discovered that systemd-network does not correctly keep track of a buffer size in the dhcp6_option_append_ia() function, when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine. The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long.

Resolution

Upgrade to 239.300-1. # pacman -Syu "systemd>=239.300-1"
The problems have been fixed upstream in version 239.300.

References

https://bugs.archlinux.org/task/60609 https://bugs.chromium.org/p/project-zero/issues/detail?id=1687 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402 https://github.com/systemd/systemd/pull/10447 https://github.com/systemd/systemd/pull/10450 https://bugs.chromium.org/p/project-zero/issues/detail?id=1689 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796692 https://github.com/systemd/systemd/pull/10517 https://bugs.launchpad.net/ubuntu/%2Bsource/systemd/%2Bbug/1795921 https://github.com/systemd/systemd/pull/10518 https://github.com/poettering/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20 https://security.archlinux.org/CVE-2018-15686 https://security.archlinux.org/CVE-2018-15687 https://security.archlinux.org/CVE-2018-15688

Severity
Package : systemd
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-789

Workaround

- CVE-2018-15688Disable IPv6 by setting either LinkLocalAddressing=ipv4 orLinkLocalAddressing=no in the corresponding network configuration file.

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved