Bugzilla – Bug 1034330
VUL-0: CVE-2017-7874: systemd: udevd: does not properly verify the source of a Netlink message
Last modified: 2017-04-19 13:24:33 UTC
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7874 ==================================================== Description udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly verify the source of a Netlink message, which allows local users to execute arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family, and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to provide a crafted REMOVE_CMD value. ==================================================== Hyperlink: [1] https://packetstormsecurity.com/files/142152/Linux-Kernel-4.8.0-udev-232-Privilege-Escalation.html Not sure, If it is applicable to (open-)SUSE, but v.232 can be used in TW branch. Need to be rechecked.
Created attachment 721359 [details] reproducer.c QA REPRODUCER: gcc -o reproducer reproducer.c ps auxw|grep udevd => find out PID of UDEVD ./reproducer $UDEVPID
(I took the liberty to make it report errors ;) UDEVPID is 445 marcus$ ./xx 445 sendmsg: Operation not permitted marcus$
I had 2 CVEs from the same reporter retracted after them being insubstantial last week. I quickly checked udev in systemd 232, it checks sender UID for being 0. But a quick recheck might be in order still.
we are sending to udevd, so not a kernel issue.
systemd/udev in SLE12 * : not affected. udev 147 in SLE11 SP3 / SP4: not affected This was already fixed by bug 493158 I think.
I filed for CVE rejection at Mitre. *** This bug has been marked as a duplicate of bug 493158 ***