Allele Security Alert
Privilege escalation by following non-terminal symlinks
The systemd project
systemd versions up to and including v239
systemd version v240
Proof of concept
Before version v240, the systemd-tmpfiles program will follow symlinks present in a non-terminal path component while adjusting permissions and ownership. Often — and particularly with “Z” type entries — an attacker can introduce such a symlink and take control of arbitrary files on the system to gain root. The “fs.protected_symlinks” sysctl does not prevent this attack. Version v239 contained a partial fix, but only for the easy-to-exploit recursive “Z” type entries.
open() is following symlinks that don’t appear as the last path component. In other words, if we are at the point where tmpfiles is about to open(/var/lib/systemd-exploit-recursive/foo/passwd,…), then it’s possible to replace the “foo” component with a symlink to /etc, resulting in open(/etc/passwd,…) and a fairly easy root exploit for any Z type.
Franck Bui (SUSE) and Lennart Poettering
tmpfiles: symlinks are followed in non-terminal path components (CVE-2018-6954)
CVE-2018-6954: systemd-tmpfiles root privilege escalation by following non-terminal symlinks
CVE-2018-6954 - Red Hat Customer Portal
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 4, 2019