Bugzilla – Bug 1133506
VUL-0: CVE-2019-3843: systemd: services with DynamicUser can create SUID/SGID binaries
Last modified: 2019-11-30 15:43:38 UTC
rh#1684607 It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. References: https://bugzilla.redhat.com/show_bug.cgi?id=1684607 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3843
https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 Upstream patches: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
dynamic user support seems to be in since v232 , did we backport it?
Nope, therefore only SLE15 should be affected (I've not looked at the details yet)
Marcus, if I read the bug description correctly, it's not really a bug per se but some extra hardening measures (which rely on seccomp) introduced to make sure that services using DynamicUser=1 can't create nor execute SUID/SGID binaries. At least none of the services shipped by systemd uses DynamicUser=1.
Did you find a reproducer in off chance ?
(In reply to Marcus Meissner from comment #1) > https://github.com/systemd/systemd/commit/ > bf65b7e0c9fc215897b676ab9a7c9d1c688143ba Marcus this commit is a compatibility break and Customer's services using DynamicUser=1 will break if they play tricks with SUID/SGID files. I don't think this will be the case in practice but who knows...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 has a reproducer I would say the customers should not play tricks with this ;)
Agreed. I submitted new MR#192322 which should fix both this bug and bsc#1133509. Re-assigning to the secteam.
SUSE-SU-2019:1364-1: An update that solves four vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509 CVE References: CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): systemd-234-24.30.1, systemd-mini-234-24.30.1 SUSE Linux Enterprise Module for Basesystem 15 (src): systemd-234-24.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1364-2: An update that solves four vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509 CVE References: CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): systemd-234-24.30.1, systemd-mini-234-24.30.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): systemd-234-24.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released