Bug 670040 (CVE-2018-15688)

Summary:	[TRACKER] Out-of-bounds heap write during dhcpv6 option handling (CVE-2018-15688)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	Keywords:	Tracker
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	669716, 670042
Bug Blocks:

Description Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-31 15:30:22 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-15688:

systemd-networkd is vulnerable to an out out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.

NetworkManager includes some parts of the systemd-networkd code in its codebase. That can be found at src/systemd/src/libsystemd-networkd. The DHCP implementation provided by systemd-networkd is used when NetworkManager is configured to use the internal implementation, however the default is to use dhclient.

When NetworkManager is configured to use the internal dhcp and an interface is setup with ipv6.method=auto (which is the default value) or ipv6.method=dhcp, this flaw can be exploited. When using ipv6.method=auto, the DHCPv6 client can be automatically started with a Router Advertisement packet.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-05-10 02:55:46 UTC

all done here.