Allele Security Alert
ASA-2018-00092
Identifier(s)
ASA-2018-00092, CVE-2018-6954
Title
Privilege escalation by following non-terminal symlinks
Vendor(s)
The systemd project
Product(s)
systemd
Affected version(s)
systemd versions up to and including v239
Fixed version(s)
systemd version v240
Proof of concept
Unknown
Description
Before version v240, the systemd-tmpfiles program will follow symlinks present in a non-terminal path component while adjusting permissions and ownership. Often — and particularly with “Z” type entries — an attacker can introduce such a symlink and take control of arbitrary files on the system to gain root. The “fs.protected_symlinks” sysctl does not prevent this attack. Version v239 contained a partial fix, but only for the easy-to-exploit recursive “Z” type entries.
Technical details
open() is following symlinks that don’t appear as the last path component. In other words, if we are at the point where tmpfiles is about to open(/var/lib/systemd-exploit-recursive/foo/passwd,…), then it’s possible to replace the “foo” component with a symlink to /etc, resulting in open(/etc/passwd,…) and a fairly easy root exploit for any Z type.
Credits
Franck Bui (SUSE) and Lennart Poettering
Reference(s)
tmpfiles: symlinks are followed in non-terminal path components (CVE-2018-6954)
https://github.com/systemd/systemd/issues/7986
CVE-2018-6954: systemd-tmpfiles root privilege escalation by following non-terminal symlinks
https://seclists.org/oss-sec/2018/q4/271
CVE-2018-6954 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-6954
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6954.html
CVE-2018-6954
https://security-tracker.debian.org/tracker/CVE-2018-6954
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6954.html
CVE-2018-6954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954
CVE-2018-6954
https://nvd.nist.gov/vuln/detail/CVE-2018-6954
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 4, 2019