In the systemd system manager vulnerability (), which potentially allows you to execute your code with elevated privileges by sending a specially crafted request on the DBus. Issue fixed in beta release (problem-solving patches: , , ). Vulnerability fixed in distributions , , (appears in RHEL 8 but does not affect RHEL 7), ΠΈ , but at the time of writing the news remains uncorrected in ΠΈ .
The vulnerability is caused by accessing an already freed memory area (use-after-free), which occurs when asynchronously executing requests to Polkit during the processing of DBus messages. Some DBus interfaces use a cache to store objects for a short time and flush the cache entries as soon as the DBus is free to process other requests. If a DBus method handler uses bus_verify_polkit_async(), it may need to wait for the action in Polkit to complete. After the Polkit is ready, the handler is called again and refers to the data already allocated in memory. If a request to Polkit takes too long, then the cached items have time to be cleared before the DBus method handler is called a second time.
Of the services that allow exploiting the vulnerability, systemd-machined is noted, which provides the DBus API org.freedesktop.machine1.Image.Clone, which leads to temporary storage of data in the cache and an asynchronous call to Polkit. Interface
org.freedesktop.machine1.Image.Clone is available to all non-privileged users of the system, who can cause systemd services to crash or potentially cause code to execute as root (exploit prototype not yet demonstrated). The code to exploit the vulnerability was in systemd-machined in 2015 version (RHEL 7.x uses systemd 219).
Source: opennet.ru