ASA-2019-00531 – systemd: Missing access controls on systemd-resolved’s D-Bus interface

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00531

Identifier(s)

ASA-2019-00531, CVE-2019-15718

Title

Missing access controls on systemd-resolved’s D-Bus interface

Vendor(s)

The systemd project

Product(s)

systemd

Affected version(s)

systemd versions before v243

Fixed version(s)

systemd version v243

Proof of concept

Unknown

Description

It was discovered that systemd-resolved does not enforce appropriate access controls on its D-Bus interface and allows unprivileged users to execute methods that are meant to be available only to privileged users. This can be exploited by local users to modify the system’s DNS resolver settings.

Technical details

The function manager_connect_bus() in src/resolve/resolved-bus.c opens a connection to the system bus using the bus_open_system_watch_bind_with_description() helper function, which is defined in src/shared/bus-util.c.

This helper function calls sd_bus_set_trusted(). This has the effect of disabling access controls, even for members that are defined without the SD_BUS_VTABLE_UNPRIVILEGED flag – the absence of which should deny access from unprivileged clients. See check_access() in src/libsystemd/sd-bus/bus-objects.c:

static int check_access(sd_bus *bus, sd_bus_message *m, struct
vtable_member *c, sd_bus_error *error) {
uint64_t cap;
int r;

assert(bus);
assert(m);
assert(c);

/* If the entire bus is trusted let's grant access */
if (bus->trusted)
return 0;

/* If the member is marked UNPRIVILEGED let's grant access */
if (c->vtable->flags & SD_BUS_VTABLE_UNPRIVILEGED)
return 0;
...

timesyncd and networkd both use the same helper function to connect to the system bus, but both of these are unaffected by this bug. In timesyncd’s case, it only exposes some read-only properties and these don’t have access controls. In networkd’s case, all methods are annotated with SD_BUS_VTABLE_UNPRIVILEGED and it uses policykit for enforcing access controls.

Credits

Nadav Markus (Palo Alto Networks)

Reference(s)

CVE-2019-15718: Missing access controls on systemd-resolved’s D-Bus interface
https://seclists.org/oss-sec/2019/q3/191

Resolved issue by keszybz · Pull Request #13457 · systemd/systemd
https://github.com/systemd/systemd/pull/13457

shared/but-util: drop trusted annotation from bus_open_system_watch_bind_with_description()
https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd

CVE-2019-15718 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-15718

CVE-2019-15718 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15718.html

CVE-2019-15718
https://security-tracker.debian.org/tracker/CVE-2019-15718

CVE-2019-15718 | SUSE
https://www.suse.com/security/cve/CVE-2019-15718

CVE-2019-15718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718

CVE-2019-15718
https://nvd.nist.gov/vuln/detail/CVE-2019-15718

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.