Systemd - Remote DOS of systemd-resolve service

Bug #1725351 reported by Thomas Imbert on 2017-10-20
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Status tracked in Bionic
Zesty
Undecided
Marc Deslauriers
Artful
Undecided
Marc Deslauriers
Bionic
Undecided
Marc Deslauriers

Bug Description

Hello,

We would like to report a vulnerability about systemd which allows to DOS the systemd-resolve service.

The vulnerability is described in the attached PDF file.

Sincerely,
Thomas IMBERT
Sogeti ESEC R&D

CVE References

Thomas Imbert (mastho) wrote :
Seth Arnold (seth-arnold) wrote :

Hello Thomas,

I've sent this along to upstream. Nice find.

Thanks

zbyszek (zbyszek-in) wrote :
Martin Pitt (pitti) wrote :

Is there a CVE for this?

Do we need a formal embargo for this? (IMHO not, I'd classify it as annoying, but non-critical remote DoS) I. e. when can the fix be pushed upstream?

Thanks!

Marc Deslauriers (mdeslaur) wrote :

We (Ubuntu) don't require an embargo. Let's see if the original reporter requests one.

Thomas Imbert (mastho) wrote :

Do you think this vulnerability deserve a CVE as the bug isn't really critical ? How do we request a CVE ID ?

We also don't require an embargo on the release of the fix.

Thank you,

Martin Pitt (pitti) wrote :

A CVE is not about "critical", it's just a succinct name/label to put into changelogs, patches, etc. to say what you are talking about. But of course "LP: #1725351" just works as well as a reference. :-) (but it's distro specific)

Thomas Imbert (mastho) wrote :

Ok, thank you,

If we want to ask for a CVE ID, should we contact MITRE?

Marc Deslauriers (mdeslaur) wrote :

Please do. You can use the form here:

https://cveform.mitre.org/

Please add a comment here with the CVE number you obtained. Thanks!

Thomas Imbert (mastho) wrote :

Form submitted!
Now, I guess we need to wait for their response.

Thanks

zbyszek (zbyszek-in) wrote :
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Changed in systemd (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in systemd (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in systemd (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in systemd (Ubuntu Zesty):
status: New → In Progress
Changed in systemd (Ubuntu Artful):
status: New → In Progress
Changed in systemd (Ubuntu Bionic):
status: New → In Progress
Martin Pitt (pitti) wrote :

@Marc: Everyone agreed to not have an embargo, and the downstream PR is public. It doesn't have much detail, but IMHO this can become public now.

information type: Private Security → Public Security

The attachment "resolved-fix-loop-on-packets-with-pseudo-dns-types.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Thomas Imbert (mastho) wrote :

MITRE has assigned the CVE-2017-15908 for this vulnerability.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 232-21ubuntu7.1

---------------
systemd (232-21ubuntu7.1) zesty-security; urgency=medium

  * SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
    - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
      dns types in src/resolve/resolved-dns-packet.c.
    - CVE-2017-15908

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2017 07:59:03 -0400

Changed in systemd (Ubuntu Zesty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 234-2ubuntu12.1

---------------
systemd (234-2ubuntu12.1) artful-security; urgency=medium

  * SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
    - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
      dns types in src/resolve/resolved-dns-packet.c.
    - CVE-2017-15908

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2017 07:56:42 -0400

Changed in systemd (Ubuntu Artful):
status: In Progress → Fix Released
David Glasser (glasser) wrote :

We manually enable systemd-resolved.service on xenial. It's installed though it is not the default. Does that mean we are not going to get the fix for this?

I'm also not an expert on NSEC/DNSSEC. Is this something that any random app that uses DNS can be vulnerable too, or does it require a program to specifically be trying to invoke DNSSEC somehow?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 235-2ubuntu3

---------------
systemd (235-2ubuntu3) bionic; urgency=medium

  * Revert "Skip test-bpf in autopkgtest, currently is failing."
    This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c.
  * Fix test-bpf test case on ubuntu.
  * Skip rename tests in containers, crude fix for now.

 -- Dimitri John Ledkov <email address hidden> Mon, 13 Nov 2017 00:06:42 +0000

Changed in systemd (Ubuntu Bionic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers