ID CVE-2018-15687
Summary A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.10
    cpe:2.3:o:canonical:ubuntu_linux:18.10
  • freedesktop Systemd 239
    cpe:2.3:a:freedesktop:systemd:239
CVSS
Base: 1.9
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
exploit-db via4
file exploits/linux/local/45715.txt
id EDB-ID:45715
last seen 2018-11-30
modified 2018-10-29
platform linux
port
published 2018-10-29
reporter Exploit-DB
source https://www.exploit-db.com/download/45715
title systemd - 'chown_one()' Dereference Symlinks
type local
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3816-2.NASL
    description USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. We apologize for the inconvenience. Original advisory details : Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. (CVE-2018-15686) Jann Horn discovered a race condition in chown_one(). A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-15687) It was discovered that systemd-tmpfiles mishandled symlinks in non-terminal path components. A local attacker could potentially exploit this by gaining ownership of certain files to obtain root privileges. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-11
    plugin id 119043
    published 2018-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119043
    title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : systemd vulnerability (USN-3816-2)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201810-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201810-10 (systemd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in systemd. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, cause a Denial of Service condition, or gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-11
    plugin id 118510
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118510
    title GLSA-201810-10 : systemd: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-24BD6C9D4A.NASL
    description - Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1643367) - Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1643372) - Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1643362) - Downgrade logging of various messages and add loging in other places - Many many fixes in error handling and minor memory leaks and such - Fix typos and omissions in documentation - Various smaller improvements to unit ordering and dependencies - Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues - The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents. - Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user threads are used by bpfilter. - Catalog entries for the journal are improved (#1639482) No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120295
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120295
    title Fedora 28 : systemd (2018-24bd6c9d4a)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3816-1.NASL
    description Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. (CVE-2018-15686) Jann Horn discovered a race condition in chown_one(). A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-15687) It was discovered that systemd-tmpfiles mishandled symlinks in non-terminal path components. A local attacker could potentially exploit this by gaining ownership of certain files to obtain root privileges. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-11
    plugin id 118907
    published 2018-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118907
    title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : systemd vulnerabilities (USN-3816-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-C402EEA18B.NASL
    description - Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1639076) - Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1639071) - Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1639067) - The DHCP server is started only when link is UP - DHCPv6 prefix delegation is improved - Downgrade logging of various messages and add loging in other places - Many many fixes in error handling and minor memory leaks and such - Fix typos and omissions in documentation - Typo in %%_environmnentdir rpm macro is fixed (with backwards compatibility preserved) - Matching by MACAddress= in systemd-networkd is fixed - Creation of user runtime directories is improved, and the user manager is only stopped after 10 s after the user logs out (#1642460 and other bugs) - systemd units systemd-timesyncd, systemd-resolved, systemd-networkd are switched back to use DynamicUser=0 - Aliases are now resolved when loading modules from pid1. This is a (redundant) fix for a brief kernel regression. - 'systemctl --wait start' exits immediately if no valid units are named - zram devices are not considered as candidates for hibernation - ECN is not requested for both in- and out-going connections (the sysctl overide for net.ipv4.tcp_ecn is removed) - Various smaller improvements to unit ordering and dependencies - generators are now called with the manager's environment - Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues - The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents. - Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user threads are used by bpfilter. - 'noresume' can be used on the kernel command line to force normal boot even if a hibernation images is present - Hibernation is not advertised if resume= is not present on the kernenl command line - Hibernation/Suspend/... modes can be disabled using AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep= - LOGO= and DOCUMENTATION_URL= are documented for the os-release file - The hashmap mempool is now only used internally in systemd, and is disabled for external users of the systemd libraries - Additional state is serialized/deserialized when logind is restarted, fixing the handling of user objects - Catalog entries for the journal are improved (#1639482) - If suspend fails, the post-suspend hooks are still called. - Various build issues on less-common architectures are fixed No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120769
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120769
    title Fedora 29 : systemd (2018-c402eea18b)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3816-3.NASL
    description USN-3816-1 fixed vulnerabilities in systemd. The fix for CVE-2018-6954 caused a regression in systemd-tmpfiles when running Ubuntu inside a container on some older kernels. This issue only affected Ubuntu 16.04 LTS. In order to continue to support this configuration, the fixes for CVE-2018-6954 have been reverted. We apologize for the inconvenience. Original advisory details : Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. (CVE-2018-15686) Jann Horn discovered a race condition in chown_one(). A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-15687) It was discovered that systemd-tmpfiles mishandled symlinks in non-terminal path components. A local attacker could potentially exploit this by gaining ownership of certain files to obtain root privileges. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-11
    plugin id 119253
    published 2018-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119253
    title Ubuntu 16.04 LTS : systemd regression (USN-3816-3)
packetstorm via4
data source https://packetstormsecurity.com/files/download/149973/GS20181026152842.txt
id PACKETSTORM:149973
last seen 2018-10-26
published 2018-10-26
reporter Jann Horn
source https://packetstormsecurity.com/files/149973/Linux-systemd-Symlink-Dereference-Via-chown_one.html
title Linux systemd Symlink Dereference Via chown_one()
refmap via4
bid 105748
exploit-db 45715
gentoo GLSA-201810-10
misc https://github.com/systemd/systemd/pull/10517/commits
ubuntu USN-3816-1
Last major update 26-10-2018 - 10:29
Published 26-10-2018 - 10:29
Last modified 10-12-2018 - 16:49
Back to Top