Bugzilla – Bug 1034330
VUL-0: CVE-2017-7874: systemd: udevd: does not properly verify the source of a Netlink message
Last modified: 2017-04-19 13:24:33 UTC
udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly verify the source of a Netlink message, which allows local users to execute arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family, and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to provide a crafted REMOVE_CMD value.
Not sure, If it is applicable to (open-)SUSE, but v.232 can be used in TW branch. Need to be rechecked.
Created attachment 721359 [details]
gcc -o reproducer reproducer.c
ps auxw|grep udevd
=> find out PID of UDEVD
(I took the liberty to make it report errors ;)
UDEVPID is 445
marcus$ ./xx 445
sendmsg: Operation not permitted
I had 2 CVEs from the same reporter retracted after them being insubstantial last week.
I quickly checked udev in systemd 232, it checks sender UID for being 0.
But a quick recheck might be in order still.
we are sending to udevd, so not a kernel issue.
systemd/udev in SLE12 * : not affected.
udev 147 in SLE11 SP3 / SP4: not affected
This was already fixed by bug 493158 I think.
I filed for CVE rejection at Mitre.
*** This bug has been marked as a duplicate of bug 493158 ***