ASA-2018-00002 – systemd: Out-of-bounds write in systemd-networkd dhcpv6 option handling

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00002

Identifier(s)

ASA-2018-00002, CVE-2018-15688

Title

Out-of-bounds write in systemd-networkd dhcpv6 option handling

Vendor(s)

The systemd project

Product(s)

systemd

Affected version(s)

systemd up to 239

Fixed version(s)

systemd 240

Description

DHCPv6 client in systemd-networkd doesn’t properly validate if the buffer has enough space to store DHCP6Option passed by a DHCP server and as result allows out-of-bounds write during option handling.

Technical details

Unknown

Credits

Felix Wilhelm (Google Project Zero)

Reference(s)

Out-of-Bounds write in systemd-networkd dhcpv6 option handling
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921

dhcp6: make sure we have enough space for the DHCP6 option header
https://github.com/poettering/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20

DHCP is hard
https://conference.hitb.org/hitbsecconf2018dxb/materials/D2T1%20-%20DHCP%20is%20Hard%20-%20Felix%20Wilhelm.pdf

CVE-2018-15688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15688

CVE-2018-15688
https://nvd.nist.gov/vuln/detail/CVE-2018-15688

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.