Bug 1034330 - (CVE-2017-7874) VUL-0: CVE-2017-7874: systemd: udevd: does not properly verify the source of a Netlink message
(CVE-2017-7874)
VUL-0: CVE-2017-7874: systemd: udevd: does not properly verify the source of ...
Status: RESOLVED DUPLICATE of bug 493158
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: systemd maintainers
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-15 18:49 UTC by Mikhail Kasimov
Modified: 2017-04-19 13:24 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer.c (1.25 KB, text/plain)
2017-04-16 13:02 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-15 18:49:03 UTC
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7874
====================================================
Description

udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly verify the source of a Netlink message, which allows local users to execute arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family, and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to provide a crafted REMOVE_CMD value.
====================================================

Hyperlink:

[1] https://packetstormsecurity.com/files/142152/Linux-Kernel-4.8.0-udev-232-Privilege-Escalation.html

Not sure, If it is applicable to (open-)SUSE, but v.232 can be used in TW branch. Need to be rechecked.
Comment 1 Marcus Meissner 2017-04-16 13:02:46 UTC
Created attachment 721359 [details]
reproducer.c

QA REPRODUCER:

gcc -o reproducer reproducer.c

ps auxw|grep udevd

  => find out PID of UDEVD

./reproducer $UDEVPID
Comment 2 Marcus Meissner 2017-04-16 14:40:17 UTC
(I took the liberty to make it report errors ;)

UDEVPID is 445 

marcus$ ./xx 445
sendmsg: Operation not permitted
marcus$
Comment 3 Marcus Meissner 2017-04-16 14:41:57 UTC
I had 2 CVEs from the same reporter retracted after them being insubstantial last week.

I quickly checked udev in systemd 232, it checks sender UID for being 0. 

But a quick recheck might be in order still.
Comment 4 Marcus Meissner 2017-04-18 07:10:38 UTC
we are sending to udevd, so not a kernel issue.
Comment 5 Marcus Meissner 2017-04-18 07:21:04 UTC
systemd/udev in SLE12 * : not affected.
udev 147 in SLE11 SP3 / SP4: not affected


This was already fixed by bug 493158 I think.
Comment 6 Marcus Meissner 2017-04-19 13:24:33 UTC
I filed for CVE rejection at Mitre.

*** This bug has been marked as a duplicate of bug 493158 ***