CVE-2018-15688

Impact:
Important
Public Date:
2018-10-26
CWE:
CWE-131->CWE-190->CWE-122
Bugzilla:
1639067: CVE-2018-15688 systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

Find out more about CVE-2018-15688 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of systemd-networkd as shipped with Red Hat Enterprise Linux 7, however the package is available only through the rhel-7-server-optional-rpms repository and it cannot be exploited unless the interface is explicitly configured to use DHCP.

This issue affects the versions of NetworkManager as shipped with Red Hat Enterprise Linux 7 because the package includes some parts of the systemd-networkd code, which present the same vulnerability. NetworkManager is vulnerable to this flaw only when configured to use the internal DHCP, which is not the default. However, when it is, the flaw may be triggered by a connection where either ipv6.method is set to dhcp or it is set to auto, which is the default value.

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Adjacent Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (systemd) RHSA-2019:0049 2019-01-14
Red Hat Enterprise Linux 7 (NetworkManager) RHSA-2018:3665 2018-11-27

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-appliance Not affected
Red Hat Virtualization 4 redhat-virtualization-host Not affected
Red Hat Enterprise Linux 6 NetworkManager Not affected
Red Hat Enterprise Linux 5 NetworkManager Not affected

Acknowledgements

Red Hat would like to thank Ubuntu Security Team for reporting this issue. Upstream acknowledges Felix Wilhelm (Google) as the original reporter.

Last Modified