Critical vulnerability in systemd affects Ubuntu, Red Hat, Fedora, RHEL, CentOS, SUSE/openSUSE and ROSA

An information security firm just reported the finding of a critical vulnerability in systemd, the Linux initialization subsystem. If exploited, the vulnerability would allow a threat actor to execute code with administrator privileges on the affected system by sending specially designed queries through DBus. 

According to the report, the flaw, tracked as CVE-2020-1712, is present in Ubuntu, Red Hat, Fedora, RHEL, CentOS, SUSE/openSUSE, and ROSA, and received a score of 7.8/10 on the Common Vulnerability Scoring System (CVSS) scale. The security issue was reported by researcher Tavis Ormandy of Google Project Zero.

At this point, only Red Hat has made a position on this finding, mentioning that the issue does not affect systemd versions included in products such as Red Hat Enterprise Linux 7, as there are no services that make vulnerable asynchronous Politik requests.

The use-after-free vulnerability occurs when asynchronous Polkit queries are performed while handling DBus queries; even a local attacker without elevated privileges could abuse this failure to block some services on the target system, execute arbitrary code, and perform privilege escalations using specially designed DBus messages.

The information security experts report mentions that if DBus uses bus_verify_polkit_async(), it can take quite a while to complete the action in the Politik library. If this happens, the method handler will be called again with the previously assigned user data.

If the request to Polkit takes too long, flushing the cache releases the stored objects before calling the method again, triggering the use-after-free flaw.

According to the information security report, the vulnerability is exploitable by the systemd-machined service, which provides the org.freedesktop.machine1.Image.Clone API. This interface is accessible to all users without system privileges, which means that any user could trigger the failure or achieve code execution with superuser privileges.

The International Institute of Cyber Security (IICS) frequently reports this kind of errors in various technological developments, contributing to the formation of a collaborative ecosystem to improve security in the field of computing science.