Bug 1001765 - (CVE-2016-7795) VUL-0: CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack via notification socket
(CVE-2016-7795)
VUL-0: CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack ...
Status: RESOLVED FIXED
: 1005205 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: systemd maintainers
Security Team bot
CVSSv2:SUSE:CVE-2016-7796:1.7:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-28 20:40 UTC by Mikhail Kasimov
Modified: 2016-10-26 12:00 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-09-28 20:40:46 UTC
Reference: http://seclists.org/oss-sec/2016/q3/641

====================
systemd[1] fails an assertion in manager_invoke_notify_message[2] when
a zero-length message is received over its notification socket.
After failing the assertion, PID 1 hangs in the pause system call.
It is no longer possible to start and stop daemons or cleanly reboot
the system. Inetd-style services managed by systemd no longer accept
connections.

Since the notification socket, /run/systemd/notify, is world-writable,
this allows a local user to perform a denial-of-service attack against
systemd.

Proof-of-concept:

        NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

This vulnerability is present in all versions of systemd since at
least v209[3].

This has been reported to systemd.[4]

[1] https://github.com/systemd/systemd/
[2] https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666
[3] https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325
[4] https://github.com/systemd/systemd/issues/4234
====================

While systemd-upstream supports release version (232) and two versions down (231,230), this report can be useful for Evergreen openSUSE versions with systemd v210 and future 42.2 release with systemd v228. Check this out, please.

Also, please, pay attention on: https://github.com/systemd/systemd/issues/4234#issuecomment-250289253
Comment 1 Franck Bui 2016-09-29 06:38:45 UTC
Thanks for reporting Mikhail. A fix will be release shortly.
Comment 2 Franck Bui 2016-09-29 06:56:11 UTC
(In reply to Mikhail Kasimov from comment #0)
> 
> This vulnerability is present in all versions of systemd since at
> least v209[3].
> 

I dont think this is true.

The regression is due to commit b215b0ede11c0dda90009c8412609d2416150075 initially which was introduced since v228.

So this issue should be present in Factory/TW only, not in older distros.

Did you manage to reproduce it in older distros ?

Thanks.
Comment 3 Johannes Segitz 2016-09-29 08:02:33 UTC
Couldn't reproduce on Leap 42.1, no such socket exists in /run/systemd
Comment 4 Franck Bui 2016-09-29 08:08:35 UTC
(In reply to Johannes Segitz from comment #3)
> Couldn't reproduce on Leap 42.1, no such socket exists in /run/systemd

The socket path for SP1 and any other distos based on v210 is "@/org/freedesktop/systemd1/notify".
Comment 5 Johannes Segitz 2016-09-29 08:57:14 UTC
(In reply to Franck Bui from comment #4)
Thanks. So after
NOTIFY_SOCKET="@/org/freedesktop/systemd1/notify" systemd-notify ""
I now have a system where I can't become root via su anymore. Apart from that I didn't notice any ill effects right away.
Comment 6 Johannes Segitz 2016-09-29 09:09:30 UTC
(In reply to Johannes Segitz from comment #5)
I'm still able to stop and restart services, but can't reboot the system cleanly. So Leap 42.1 is affected
Comment 7 Franck Bui 2016-09-29 09:59:00 UTC
(In reply to Johannes Segitz from comment #6)
> (In reply to Johannes Segitz from comment #5)
> I'm still able to stop and restart services, but can't reboot the system
> cleanly. So Leap 42.1 is affected

Indeed.
Comment 8 Wojtek Dziewięcki 2016-09-29 10:43:28 UTC
I did this:
NOTIFY_SOCKET="@/org/freedesktop/systemd1/notify"
while :; do systemd-notify ""; done

This is what happened:

As root, I couldn't start and stop some daemons (I've tried sshd and ntpd). NetworkManager worked though.
I could not become root neither using su, nor sudo. I couldn't login to a virtual console (as root or as a user). 

As a user, logging out from graphical interface didn't work either.

All done on openSUSE leap 42.1. Looks like a serious DoS to me.
Comment 9 Franck Bui 2016-09-29 12:36:01 UTC
(In reply to Wojtek Dziewięcki from comment #8)
> 
> All done on openSUSE leap 42.1. Looks like a serious DoS to me.

Nobody said the contrary AFAIK.

Please give a test to this testing package when OBS will finish to build it:

https://build.opensuse.org/package/show/home:fbui:branches:openSUSE:Leap:42.1:Update:bsc-1001765/systemd
Comment 10 Bernhard Wiedemann 2016-09-29 14:01:05 UTC
This is an autogenerated message for OBS integration:
This bug (1001765) was mentioned in
https://build.opensuse.org/request/show/431273 Factory / systemd
Comment 11 Wojtek Dziewięcki 2016-09-29 14:07:49 UTC
I've tested the package from OBS and I cannot replicate any of the issues any more.
Comment 12 Franck Bui 2016-09-30 07:12:55 UTC
Thanks for testing.

Updates are underway.
Comment 13 Johannes Segitz 2016-09-30 07:43:08 UTC
CVEs were assigned: http://seclists.org/oss-sec/2016/q3/675

> https://github.com/systemd/systemd/issues/4234
> https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet

> systemd fails an assertion in manager_invoke_notify_message when
> a zero-length message is received over its notification socket.
> After failing the assertion, PID 1 hangs in the pause system call.
> It is no longer possible to start and stop daemons or cleanly reboot
> the system. Inetd-style services managed by systemd no longer accept
> connections.
>
> Since the notification socket, /run/systemd/notify, is world-writable,
> this allows a local user to perform a denial-of-service attack against
> systemd.
>
> Proof-of-concept:
>
>         NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

Use CVE-2016-7795.

>> https://github.com/systemd/systemd/issues/4234#issuecomment-250441246

>> Older distros are affected differently I think: no assertion is
>> triggered but manager_dispatch_notify_fd() still returns an error
>> which has the bad side effect to disable the notification handler
>> completely

Use CVE-2016-7796
Comment 14 Bernhard Wiedemann 2016-09-30 08:00:54 UTC
This is an autogenerated message for OBS integration:
This bug (1001765) was mentioned in
https://build.opensuse.org/request/show/431464 Factory / systemd
Comment 16 Mikhail Kasimov 2016-09-30 11:15:40 UTC
(In reply to Bernhard Wiedemann from comment #14)
> This is an autogenerated message for OBS integration:
> This bug (1001765) was mentioned in
> https://build.opensuse.org/request/show/431464 Factory / systemd

====================
openSUSE_Leap_42.1 	
Repository has been published x86_64
	disabled The package has been disabled from building in project or package metadata.
openSUSE_Leap_42.2 	
Repository has been published x86_64
	disabled The package has been disabled from building in project or package metadata.
====================

is it correct?
Comment 17 Franck Bui 2016-09-30 13:27:14 UTC
(In reply to Mikhail Kasimov from comment #16)
> (In reply to Bernhard Wiedemann from comment #14)
> > This is an autogenerated message for OBS integration:
> > This bug (1001765) was mentioned in
> > https://build.opensuse.org/request/show/431464 Factory / systemd
> 
> ====================
> openSUSE_Leap_42.1 	
> Repository has been published x86_64
> 	disabled The package has been disabled from building in project or package
> metadata.
> openSUSE_Leap_42.2 	
> Repository has been published x86_64
> 	disabled The package has been disabled from building in project or package
> metadata.
> ====================
> 
> is it correct?

Yes probably because the deps are not fulfilled on 42.1 for v228. (42.1 is based on SLE12-SP1).

Regarding 42.2, I don't know however this distro is not officially released.
Comment 18 Mikhail Kasimov 2016-09-30 13:30:48 UTC
(In reply to Franck Bui from comment #17)
> (In reply to Mikhail Kasimov from comment #16)
> > (In reply to Bernhard Wiedemann from comment #14)
> > > This is an autogenerated message for OBS integration:
> > > This bug (1001765) was mentioned in
> > > https://build.opensuse.org/request/show/431464 Factory / systemd
> > 
> > ====================
> > openSUSE_Leap_42.1 	
> > Repository has been published x86_64
> > 	disabled The package has been disabled from building in project or package
> > metadata.
> > openSUSE_Leap_42.2 	
> > Repository has been published x86_64
> > 	disabled The package has been disabled from building in project or package
> > metadata.
> > ====================
> > 
> > is it correct?
> 
> Yes probably because the deps are not fulfilled on 42.1 for v228. (42.1 is
> based on SLE12-SP1).
> 
> Regarding 42.2, I don't know however this distro is not officially released.

Ok, because I'm asking due to phrase "All done on openSUSE leap 42.1. Looks like a serious DoS to me." from comment 8.
Comment 19 Wojtek Dziewięcki 2016-09-30 13:50:02 UTC
> is it correct?
Mikhail: AFAIK This is a request for the factory repository, so builds for released distributions are disabled there. It does not mean there will be no fix for 42.1.
Comment 20 Mikhail Kasimov 2016-09-30 13:52:35 UTC
(In reply to Wojtek Dziewięcki from comment #19)
> > is it correct?
> Mikhail: AFAIK This is a request for the factory repository, so builds for
> released distributions are disabled there. It does not mean there will be no
> fix for 42.1.

Ok, no problem, thanks for explaining.
Comment 21 Bernhard Wiedemann 2016-09-30 16:00:54 UTC
This is an autogenerated message for OBS integration:
This bug (1001765) was mentioned in
https://build.opensuse.org/request/show/431726 13.1 / systemd
https://build.opensuse.org/request/show/431727 13.2 / systemd
Comment 24 Alexander Bergmann 2016-10-04 07:54:31 UTC
As stated in comment 13, the CVEs are covering different systemd versions.

CVE-2016-7796 -> v210 -> SLE12-SP[01]
CVE-2016-7795 -> v228 -> SLE12-SP2
Comment 25 Marcus Meissner 2016-10-04 08:43:30 UTC
FWIW, 42.1 will get the sles 12-sp1 update, once it is released, and 42.2 will get it from sles 12 sp2.
Comment 26 Swamp Workflow Management 2016-10-07 19:09:11 UTC
SUSE-SU-2016:2475-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (important)
Bug References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269
CVE References: CVE-2016-7796
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    systemd-210-70.58.1
SUSE Linux Enterprise Server 12-LTSS (src):    systemd-210-70.58.1
Comment 27 Swamp Workflow Management 2016-10-07 19:11:19 UTC
SUSE-SU-2016:2476-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (important)
Bug References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269
CVE References: CVE-2016-7796
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    systemd-210-114.1
SUSE Linux Enterprise Server 12-SP1 (src):    systemd-210-114.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    systemd-210-114.1
Comment 28 Bernhard Wiedemann 2016-10-12 14:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (1001765) was mentioned in
https://build.opensuse.org/request/show/434546 42.2 / systemd
Comment 29 Swamp Workflow Management 2016-10-13 10:09:05 UTC
openSUSE-SU-2016:2522-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1000435,1001765,954374,970293,982211,996269
CVE References: CVE-2016-7796
Sources used:
openSUSE 13.2 (src):    systemd-210.1475218254.1e76ce0-25.48.1, systemd-mini-210.1475218254.1e76ce0-25.48.1
Comment 30 Andreas Stieger 2016-10-14 10:15:57 UTC
releasing 42.1, all done
Comment 31 Swamp Workflow Management 2016-10-14 14:09:28 UTC
openSUSE-SU-2016:2539-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (important)
Bug References: 1000435,1001765,954374,970293,982210,982211,982251,987173,987857,990074,996269
CVE References: CVE-2016-7796
Sources used:
openSUSE Leap 42.1 (src):    systemd-210-98.1, systemd-mini-210-98.1
Comment 32 Franck Bui 2016-10-18 09:48:08 UTC
*** Bug 1005205 has been marked as a duplicate of this bug. ***
Comment 33 Bernhard Wiedemann 2016-10-26 12:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (1001765) was mentioned in
https://build.opensuse.org/request/show/437405 13.2 / systemd