|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack via notification socket | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Mikhail Kasimov <mikhail.kasimov> |
| Component: | Incidents | Assignee: | systemd maintainers <systemd-maintainers> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P1 - Urgent | CC: | abergmann, astieger, fbui, jsegitz, meissner, security-team, sujith_pandel, vojta.reg |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2016-7796:1.7:(AV:L/AC:L/Au:S/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-7795:1.7:(AV:L/AC:L/Au:S/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-7795:5.6:(AV:L/AC:L/Au:N/C:N/I:P/A:C) CVSSv2:RedHat:CVE-2016-7796:5.6:(AV:L/AC:L/Au:N/C:N/I:P/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Mikhail Kasimov
2016-09-28 20:40:46 UTC
Thanks for reporting Mikhail. A fix will be release shortly. (In reply to Mikhail Kasimov from comment #0) > > This vulnerability is present in all versions of systemd since at > least v209[3]. > I dont think this is true. The regression is due to commit b215b0ede11c0dda90009c8412609d2416150075 initially which was introduced since v228. So this issue should be present in Factory/TW only, not in older distros. Did you manage to reproduce it in older distros ? Thanks. Couldn't reproduce on Leap 42.1, no such socket exists in /run/systemd (In reply to Johannes Segitz from comment #3) > Couldn't reproduce on Leap 42.1, no such socket exists in /run/systemd The socket path for SP1 and any other distos based on v210 is "@/org/freedesktop/systemd1/notify". (In reply to Franck Bui from comment #4) Thanks. So after NOTIFY_SOCKET="@/org/freedesktop/systemd1/notify" systemd-notify "" I now have a system where I can't become root via su anymore. Apart from that I didn't notice any ill effects right away. (In reply to Johannes Segitz from comment #5) I'm still able to stop and restart services, but can't reboot the system cleanly. So Leap 42.1 is affected (In reply to Johannes Segitz from comment #6) > (In reply to Johannes Segitz from comment #5) > I'm still able to stop and restart services, but can't reboot the system > cleanly. So Leap 42.1 is affected Indeed. I did this: NOTIFY_SOCKET="@/org/freedesktop/systemd1/notify" while :; do systemd-notify ""; done This is what happened: As root, I couldn't start and stop some daemons (I've tried sshd and ntpd). NetworkManager worked though. I could not become root neither using su, nor sudo. I couldn't login to a virtual console (as root or as a user). As a user, logging out from graphical interface didn't work either. All done on openSUSE leap 42.1. Looks like a serious DoS to me. (In reply to Wojtek Dziewięcki from comment #8) > > All done on openSUSE leap 42.1. Looks like a serious DoS to me. Nobody said the contrary AFAIK. Please give a test to this testing package when OBS will finish to build it: https://build.opensuse.org/package/show/home:fbui:branches:openSUSE:Leap:42.1:Update:bsc-1001765/systemd This is an autogenerated message for OBS integration: This bug (1001765) was mentioned in https://build.opensuse.org/request/show/431273 Factory / systemd I've tested the package from OBS and I cannot replicate any of the issues any more. Thanks for testing. Updates are underway. CVEs were assigned: http://seclists.org/oss-sec/2016/q3/675 > https://github.com/systemd/systemd/issues/4234 > https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet > systemd fails an assertion in manager_invoke_notify_message when > a zero-length message is received over its notification socket. > After failing the assertion, PID 1 hangs in the pause system call. > It is no longer possible to start and stop daemons or cleanly reboot > the system. Inetd-style services managed by systemd no longer accept > connections. > > Since the notification socket, /run/systemd/notify, is world-writable, > this allows a local user to perform a denial-of-service attack against > systemd. > > Proof-of-concept: > > NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" Use CVE-2016-7795. >> https://github.com/systemd/systemd/issues/4234#issuecomment-250441246 >> Older distros are affected differently I think: no assertion is >> triggered but manager_dispatch_notify_fd() still returns an error >> which has the bad side effect to disable the notification handler >> completely Use CVE-2016-7796 This is an autogenerated message for OBS integration: This bug (1001765) was mentioned in https://build.opensuse.org/request/show/431464 Factory / systemd (In reply to Bernhard Wiedemann from comment #14) > This is an autogenerated message for OBS integration: > This bug (1001765) was mentioned in > https://build.opensuse.org/request/show/431464 Factory / systemd ==================== openSUSE_Leap_42.1 Repository has been published x86_64 disabled The package has been disabled from building in project or package metadata. openSUSE_Leap_42.2 Repository has been published x86_64 disabled The package has been disabled from building in project or package metadata. ==================== is it correct? (In reply to Mikhail Kasimov from comment #16) > (In reply to Bernhard Wiedemann from comment #14) > > This is an autogenerated message for OBS integration: > > This bug (1001765) was mentioned in > > https://build.opensuse.org/request/show/431464 Factory / systemd > > ==================== > openSUSE_Leap_42.1 > Repository has been published x86_64 > disabled The package has been disabled from building in project or package > metadata. > openSUSE_Leap_42.2 > Repository has been published x86_64 > disabled The package has been disabled from building in project or package > metadata. > ==================== > > is it correct? Yes probably because the deps are not fulfilled on 42.1 for v228. (42.1 is based on SLE12-SP1). Regarding 42.2, I don't know however this distro is not officially released. (In reply to Franck Bui from comment #17) > (In reply to Mikhail Kasimov from comment #16) > > (In reply to Bernhard Wiedemann from comment #14) > > > This is an autogenerated message for OBS integration: > > > This bug (1001765) was mentioned in > > > https://build.opensuse.org/request/show/431464 Factory / systemd > > > > ==================== > > openSUSE_Leap_42.1 > > Repository has been published x86_64 > > disabled The package has been disabled from building in project or package > > metadata. > > openSUSE_Leap_42.2 > > Repository has been published x86_64 > > disabled The package has been disabled from building in project or package > > metadata. > > ==================== > > > > is it correct? > > Yes probably because the deps are not fulfilled on 42.1 for v228. (42.1 is > based on SLE12-SP1). > > Regarding 42.2, I don't know however this distro is not officially released. Ok, because I'm asking due to phrase "All done on openSUSE leap 42.1. Looks like a serious DoS to me." from comment 8. > is it correct?
Mikhail: AFAIK This is a request for the factory repository, so builds for released distributions are disabled there. It does not mean there will be no fix for 42.1.
(In reply to Wojtek Dziewięcki from comment #19) > > is it correct? > Mikhail: AFAIK This is a request for the factory repository, so builds for > released distributions are disabled there. It does not mean there will be no > fix for 42.1. Ok, no problem, thanks for explaining. This is an autogenerated message for OBS integration: This bug (1001765) was mentioned in https://build.opensuse.org/request/show/431726 13.1 / systemd https://build.opensuse.org/request/show/431727 13.2 / systemd As stated in comment 13, the CVEs are covering different systemd versions. CVE-2016-7796 -> v210 -> SLE12-SP[01] CVE-2016-7795 -> v228 -> SLE12-SP2 FWIW, 42.1 will get the sles 12-sp1 update, once it is released, and 42.2 will get it from sles 12 sp2. SUSE-SU-2016:2475-1: An update that solves one vulnerability and has 10 fixes is now available. Category: security (important) Bug References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269 CVE References: CVE-2016-7796 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): systemd-210-70.58.1 SUSE Linux Enterprise Server 12-LTSS (src): systemd-210-70.58.1 SUSE-SU-2016:2476-1: An update that solves one vulnerability and has 10 fixes is now available. Category: security (important) Bug References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269 CVE References: CVE-2016-7796 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): systemd-210-114.1 SUSE Linux Enterprise Server 12-SP1 (src): systemd-210-114.1 SUSE Linux Enterprise Desktop 12-SP1 (src): systemd-210-114.1 This is an autogenerated message for OBS integration: This bug (1001765) was mentioned in https://build.opensuse.org/request/show/434546 42.2 / systemd openSUSE-SU-2016:2522-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (important) Bug References: 1000435,1001765,954374,970293,982211,996269 CVE References: CVE-2016-7796 Sources used: openSUSE 13.2 (src): systemd-210.1475218254.1e76ce0-25.48.1, systemd-mini-210.1475218254.1e76ce0-25.48.1 releasing 42.1, all done openSUSE-SU-2016:2539-1: An update that solves one vulnerability and has 10 fixes is now available. Category: security (important) Bug References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269 CVE References: CVE-2016-7796 Sources used: openSUSE Leap 42.1 (src): systemd-210-98.1, systemd-mini-210-98.1 *** Bug 1005205 has been marked as a duplicate of this bug. *** This is an autogenerated message for OBS integration: This bug (1001765) was mentioned in https://build.opensuse.org/request/show/437405 13.2 / systemd |