CVE-2018-15688: systemd-network does not correctly keep track of a buffer size

Bug #1820756 reported by Ken Young
22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Mawrer Amed Ramirez Martinez

Bug Description

Title
-----
CVE-2018-15688: systemd-network does not correctly keep track of a buffer size.

Brief Description
-----------------
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

+----------------+--------------------------------------------------------------------------------+
| CVE-2018-15688 | |
+----------------+--------------------------------------------------------------------------------+
| Max Score | 9.8 CRITICAL (nvd) |
| nvd | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL |
| redhat | 8.8/CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H IMPORTANT |
| nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH |
| Summary | A buffer overflow vulnerability in the dhcp6 client of systemd allows a |
| | malicious dhcp6 server to overwrite heap memory in systemd-networkd. |
| | Affected releases are systemd: versions up to and including 239. |
| CWE | CWE-122: Heap-based Buffer Overflow (redhat) |
| CWE | CWE-119: Improper Restriction of Operations within the Bounds of a Memory |
| | (nvd) |
| CWE | CWE-131: Incorrect Calculation of Buffer Size (redhat) |
| CWE | CWE-190: Integer Overflow or Wraparound (redhat) |
| Affected Pkg | libgudev1-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates) |
| Affected Pkg | systemd-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates) |
| Affected Pkg | systemd-libs-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates) |
| Affected Pkg | systemd-sysv-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates) |
| Confidence | 100 / OvalMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2018-15688 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2018-15688 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-15688 |
| RHEL-CVE | https://access.redhat.com/security/cve/CVE-2018-15688 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-122.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-119.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-131.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-190.html |
+----------------+--------------------------------------------------------------------------------+

Severity
--------
Provide the severity of the defect.
<Major: System/Feature is usable but degraded>

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
N/A

Actual Behavior
----------------
N/A

Reproducibility
---------------
Reproducible

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
N/A

Timestamp/Logs
--------------
N/A

CVE References

Ken Young (kenyis)
Changed in starlingx:
importance: Undecided → High
Ghada Khalil (gkhalil)
tags: added: stx.2019.05 stx.security
Bruce Jones (brucej)
Changed in starlingx:
assignee: nobody → Cesar Lara (clara1)
Revision history for this message
Ken Young (kenyis) wrote :

The community has fixed this CVE on January 14th. To fix this CVE, please update the following packages:

libgudev1-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates)
systemd-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates)
systemd-libs-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates)
systemd-sysv-219-62.el7.tis.11 -> 219-62.el7_6.5 (updates)

Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
Ken Young (kenyis)
tags: added: stx.build
information type: Private Security → Private
information type: Private → Private Security
Ken Young (kenyis)
tags: added: stx.2.0
removed: stx.2019.05
Revision history for this message
Mawrer Amed Ramirez Martinez (marami3) wrote :

The review link for the changes in the 'stx-tools' repo: https://review.openstack.org/#/c/651340/

link for the changes in the 'stx-intg' repo: https://review.openstack.org/#/c/651369/

Ken Young (kenyis)
Changed in starlingx:
assignee: Cesar Lara (clara1) → Mawrer Amed Ramirez Martinez (marami3)
Ken Young (kenyis)
Changed in starlingx:
status: Triaged → Fix Released
Ken Young (kenyis)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.