ASA-2018-00092 – systemd: Privilege escalation by following non-terminal symlinks


Allele Security Alert

ASA-2018-00092

Identifier(s)

ASA-2018-00092, CVE-2018-6954

Title

Privilege escalation by following non-terminal symlinks

Vendor(s)

The systemd project

Product(s)

systemd

Affected version(s)

systemd versions up to and including v239

Fixed version(s)

systemd version v240

Proof of concept

Unknown

Description

Before version v240, the systemd-tmpfiles program will follow symlinks present in a non-terminal path component while adjusting permissions and ownership. Often — and particularly with “Z” type entries — an attacker can introduce such a symlink and take control of arbitrary files on the system to gain root. The “fs.protected_symlinks” sysctl does not prevent this attack. Version v239 contained a partial fix, but only for the easy-to-exploit recursive “Z” type entries.

Technical details

open() is following symlinks that don’t appear as the last path component. In other words, if we are at the point where tmpfiles is about to open(/var/lib/systemd-exploit-recursive/foo/passwd,…), then it’s possible to replace the “foo” component with a symlink to /etc, resulting in open(/etc/passwd,…) and a fairly easy root exploit for any Z type.

Credits

Franck Bui (SUSE) and Lennart Poettering

Reference(s)

tmpfiles: symlinks are followed in non-terminal path components (CVE-2018-6954)
https://github.com/systemd/systemd/issues/7986

CVE-2018-6954: systemd-tmpfiles root privilege escalation by following non-terminal symlinks
https://seclists.org/oss-sec/2018/q4/271

CVE-2018-6954 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-6954

CVE-2018-6954 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6954.html

CVE-2018-6954
https://security-tracker.debian.org/tracker/CVE-2018-6954

CVE-2018-6954 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6954.html

CVE-2018-6954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954

CVE-2018-6954
https://nvd.nist.gov/vuln/detail/CVE-2018-6954

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.