An attacker can trigger the vulnerability using maliciously crafted DHCPv6 packets and modifying portions of memory of the vulnerable systems, potentially causing remote code execution.
The flaw, tracked as CVE-2018-15688, was reported by Felix Wilhelm, from the Google Security team, Wilhelm explained that the overflow can be triggered by an attacker in an easy way by advertising a DHCPv6 server with a server-id >= 493 characters long.
“The function dhcp6_option_append_ia function is used to encode Identity Associations received by the server into the options buffer of an outgoing DHCPv6 packet” wrote Wilhelm.
“The function receives a pointer to the option buffer buf, it’s remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound and *buflen can underflow in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E). The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long.”
The flaw resides in the DHCPv6 client of the open-source Systemd management suite that is implemented into several Linux distros (Ubuntu, Red Hat, Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server).
If the IPv6 support is enabled, the DHCPv6 client of the open-source Systemd management suite is automatically activated to process arriving packers.
Experts pointed out that the DHCPv6 clients could be wake up by specially crafted router advertisement messages sent by a rogue DHCPv6 server on a network, or in an ISP. In both scenarios, the attackers can enable the DHCPv6 clients and trigger the vulnerability to crash or hijack the Systemd-powered Linux machines.
Both Ubuntu and Red Hat Linux published a security advisory on the issue. summary:
“systemd–networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.” reads the advisory published by Red Hat.
“Felix Wilhelm discovered that systemd-networkd’s dhcp6 client could be made to write beyond the bounds (buffer overflow) of a heap allocated buffer when responding to a dhcp6 server with an overly-long server-id parameter.” reads the advisory published by Ubuntu.