Bug 1034330 (CVE-2017-7874)

Summary: VUL-0: CVE-2017-7874: systemd: udevd: does not properly verify the source of a Netlink message
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: systemd maintainers <systemd-maintainers>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carnil, meissner
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: reproducer.c

Description Mikhail Kasimov 2017-04-15 18:49:03 UTC 
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7874
====================================================
Description

udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly verify the source of a Netlink message, which allows local users to execute arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family, and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to provide a crafted REMOVE_CMD value.
====================================================

Hyperlink:

[1] https://packetstormsecurity.com/files/142152/Linux-Kernel-4.8.0-udev-232-Privilege-Escalation.html

Not sure, If it is applicable to (open-)SUSE, but v.232 can be used in TW branch. Need to be rechecked.
Comment 1 Marcus Meissner 2017-04-16 13:02:46 UTC 
Created attachment 721359 [details]
reproducer.c

QA REPRODUCER:

gcc -o reproducer reproducer.c

ps auxw|grep udevd

  => find out PID of UDEVD

./reproducer $UDEVPID
Comment 2 Marcus Meissner 2017-04-16 14:40:17 UTC 
(I took the liberty to make it report errors ;)

UDEVPID is 445 

marcus$ ./xx 445
sendmsg: Operation not permitted
marcus$
Comment 3 Marcus Meissner 2017-04-16 14:41:57 UTC 
I had 2 CVEs from the same reporter retracted after them being insubstantial last week.

I quickly checked udev in systemd 232, it checks sender UID for being 0. 

But a quick recheck might be in order still.
Comment 4 Marcus Meissner 2017-04-18 07:10:38 UTC 
we are sending to udevd, so not a kernel issue.
Comment 5 Marcus Meissner 2017-04-18 07:21:04 UTC 
systemd/udev in SLE12 * : not affected.
udev 147 in SLE11 SP3 / SP4: not affected


This was already fixed by bug 493158 I think.
Comment 6 Marcus Meissner 2017-04-19 13:24:33 UTC 
I filed for CVE rejection at Mitre.

*** This bug has been marked as a duplicate of bug 493158 ***