CVE-2018-15688: systemd remote code execution vulnerability affects Linux machines
Felix Wilhelm of the Google Security Research team discovered the systemd vulnerability and applied for the CVE number CVE-2018-15688, which could allow an exploiter to modify the target system memory with an individual DHCPv6 packet and possibly cause remote code execution.
Wilhelm describes this vulnerability “The function dhcp6_option_append_ia function is used to encode Identity Associations received by the server into the options buffer of an outgoing DHCPv6 packet. The function receives a pointer to the option buffer buf; it’s remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this, the memcpy at (C) can go out-of-bounds and *buflen can underflow in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E). The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long.”
The vulnerability is located in the DHCPv6 program in the systemd management system and affects multiple Linux distributions: Ubuntu、Red Hat、Debian、Fedora、CoreOS、Mint、SUSE Linux Enterprise Server.
When the server starts IPv6, the DHCPv6 program in systemd is automatically started. At the same time, security personnel is reminded that the attacker can use the DHCPv6 server to send individual routing information to wake up the server DHCPv6 program to exploit the vulnerability.
Currently, systemd author Leonard Poettering has released a patch.
Via: securityaffairs