Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670040 (CVE-2018-15688) - [TRACKER] Out-of-bounds heap write during dhcpv6 option handling (CVE-2018-15688)
Summary: [TRACKER] Out-of-bounds heap write during dhcpv6 option handling (CVE-2018-15...
Alias: CVE-2018-15688
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Keywords: Tracker
Depends on: 669716 670042
  Show dependency tree
Reported: 2018-10-31 15:30 UTC by Thomas Deutschmann (RETIRED)
Modified: 2019-05-10 02:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-31 15:30:22 UTC

systemd-networkd is vulnerable to an out out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.

NetworkManager includes some parts of the systemd-networkd code in its codebase. That can be found at src/systemd/src/libsystemd-networkd. The DHCP implementation provided by systemd-networkd is used when NetworkManager is configured to use the internal implementation, however the default is to use dhclient.

When NetworkManager is configured to use the internal dhcp and an interface is setup with ipv6.method=auto (which is the default value) or ipv6.method=dhcp, this flaw can be exploited. When using ipv6.method=auto, the DHCPv6 client can be automatically started with a Router Advertisement packet.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-05-10 02:55:46 UTC
all done here.