Debian 10.3 a 9.12

Vulnerability in systemd, potentially allowing to increase its privileges February 9, 2020 8:50

The system manager systemd identified vulnerability ( CVE-2020-1712 ), which potentially allows for execution of the code from an elevated specially decorated by sending a request for bus DBus. The problem is corrected in a test release systemd 245 rc1- (patches solving the problem: 1 , 2 , 3 ). The vulnerability is fixed in the distributions of Ubuntu , the Fedora , RHEL (shown in RHEL 8, but does not affect RHEL 7), the CentOS , the SUSE / the openSUSE and ROSA , but at the time of writing the news remains uncorrected in Debian и Arch Linux.

The vulnerability is caused by an appeal to already freed memory area (use-after-free), arises when an asynchronous query execution to Polkit during DBus-messaging. Some DBus-interfaces use cache to store objects in a short time and clean cache entries as soon as the bus DBus available to handle other requests. If the handler method uses DBus-bus_verify_polkit_async (), it may be necessary to complete the action expected in Polkit. When ready Polkit handler is called repeatedly and refers to previously distributed in-memory data. If the request to Polkit takes too long, the elements in the cache time to be cleansed before the DBus-handler method is called a second time.

Of services that allow to exploit the vulnerability, says systemd-machined, which provides a DBus API org.freedesktop.machine1.Image.Clone, leading to temporarily save the data in the cache and asynchronous handling to Polkit. Org.freedesktop.machine1.Image.Clone interface is available to all non-privileged users on the system, which can trigger the collapse of systemd services or potentially achieve code execution with root privileges (the prototype has not yet demonstrated the exploit). Code to exploit the vulnerability, was added to the systemd-machined in the 2015 version of systemd 220 (in RHEL 7.x uses systemd 219).