Systemd - Remote DOS of systemd-resolve service

Bug #1725351 reported by Thomas Imbert
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Zesty
Fix Released
Undecided
Marc Deslauriers
Artful
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Marc Deslauriers

Bug Description

Hello,

We would like to report a vulnerability about systemd which allows to DOS the systemd-resolve service.

The vulnerability is described in the attached PDF file.

Sincerely,
Thomas IMBERT
Sogeti ESEC R&D

Tags: patch

CVE References

Revision history for this message
Thomas Imbert (mastho) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Thomas,

I've sent this along to upstream. Nice find.

Thanks

Revision history for this message
Zbigniew Jędrzejewski-Szmek (zbyszek-in) wrote :
Revision history for this message
Zbigniew Jędrzejewski-Szmek (zbyszek-in) wrote :
Revision history for this message
Martin Pitt (pitti) wrote :

Is there a CVE for this?

Do we need a formal embargo for this? (IMHO not, I'd classify it as annoying, but non-critical remote DoS) I. e. when can the fix be pushed upstream?

Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We (Ubuntu) don't require an embargo. Let's see if the original reporter requests one.

Revision history for this message
Thomas Imbert (mastho) wrote :

Do you think this vulnerability deserve a CVE as the bug isn't really critical ? How do we request a CVE ID ?

We also don't require an embargo on the release of the fix.

Thank you,

Revision history for this message
Martin Pitt (pitti) wrote :

A CVE is not about "critical", it's just a succinct name/label to put into changelogs, patches, etc. to say what you are talking about. But of course "LP: #1725351" just works as well as a reference. :-) (but it's distro specific)

Revision history for this message
Thomas Imbert (mastho) wrote :

Ok, thank you,

If we want to ask for a CVE ID, should we contact MITRE?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Please do. You can use the form here:

https://cveform.mitre.org/

Please add a comment here with the CVE number you obtained. Thanks!

Revision history for this message
Thomas Imbert (mastho) wrote :

Form submitted!
Now, I guess we need to wait for their response.

Thanks

Revision history for this message
Zbigniew Jędrzejewski-Szmek (zbyszek-in) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Changed in systemd (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in systemd (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in systemd (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in systemd (Ubuntu Zesty):
status: New → In Progress
Changed in systemd (Ubuntu Artful):
status: New → In Progress
Changed in systemd (Ubuntu Bionic):
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

@Marc: Everyone agreed to not have an embargo, and the downstream PR is public. It doesn't have much detail, but IMHO this can become public now.

information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "resolved-fix-loop-on-packets-with-pseudo-dns-types.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Thomas Imbert (mastho) wrote :

MITRE has assigned the CVE-2017-15908 for this vulnerability.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 232-21ubuntu7.1

---------------
systemd (232-21ubuntu7.1) zesty-security; urgency=medium

  * SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
    - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
      dns types in src/resolve/resolved-dns-packet.c.
    - CVE-2017-15908

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2017 07:59:03 -0400

Changed in systemd (Ubuntu Zesty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 234-2ubuntu12.1

---------------
systemd (234-2ubuntu12.1) artful-security; urgency=medium

  * SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
    - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
      dns types in src/resolve/resolved-dns-packet.c.
    - CVE-2017-15908

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2017 07:56:42 -0400

Changed in systemd (Ubuntu Artful):
status: In Progress → Fix Released
Revision history for this message
David Glasser (glasser) wrote :

We manually enable systemd-resolved.service on xenial. It's installed though it is not the default. Does that mean we are not going to get the fix for this?

I'm also not an expert on NSEC/DNSSEC. Is this something that any random app that uses DNS can be vulnerable too, or does it require a program to specifically be trying to invoke DNSSEC somehow?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 235-2ubuntu3

---------------
systemd (235-2ubuntu3) bionic; urgency=medium

  * Revert "Skip test-bpf in autopkgtest, currently is failing."
    This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c.
  * Fix test-bpf test case on ubuntu.
  * Skip rename tests in containers, crude fix for now.

 -- Dimitri John Ledkov <email address hidden> Mon, 13 Nov 2017 00:06:42 +0000

Changed in systemd (Ubuntu Bionic):
status: In Progress → Fix Released
description: updated
description: updated
description: updated
Changed in systemd (Ubuntu Zesty):
assignee: Marc Deslauriers (mdeslaur) → William Gamazo Sanchez (willgamz)
assignee: William Gamazo Sanchez (willgamz) → nobody
Changed in systemd (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
description: updated
Revision history for this message
David Glasser (glasser) wrote :

@mdeslaur: Should I interpret the release of https://usn.ubuntu.com/usn/usn-3558-1/ as saying that the answer to my question in comment 19 is that yes, now we are getting the response?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hello. Yes, USN-3558-1 included the fix for Ubuntu 16.04 LTS for environments where systemd-resolved is manually enabled. Thanks.

Revision history for this message
David Glasser (glasser) wrote :

Thanks Marc! Do you happen to know the answer to my other question?

"I'm also not an expert on NSEC/DNSSEC. Is this something that any random app that uses DNS can be vulnerable too, or does it require a program to specifically be trying to invoke DNSSEC somehow?"

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Sorry, I don't know the answer to that question.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers