diff options
author | Thomas Haller <thaller@redhat.com> | 2021-06-17 17:04:12 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2021-06-21 16:24:55 +0200 |
commit | 1441b04bbad677caf4a58c293ff6730b319a91df (patch) | |
tree | 50aaffa51ed4feab48458513346a31503724a3c4 | |
parent | 58c3af1a7d646ee19e592b4ce85fa126cf95e5ca (diff) |
dhcp/systemd: ignore FORCERENEW requests for DHCPV4 to workaround CVE-2020-13529
The FORCERENEW reqest was not authenticated (because neither rfc3118 nor
rfc6704) is implemented. That is a potential security issue.
As workaround, patch the source to ignore those requests. Note that also
nettools implementation ignores FORCERENEW requests, so if there would
be a need to handle them, then it would be important to improve the
nettools code (which is the main implementation).
The systemd DHCP plugin is no longer used by default. The user explicitly has to
enable it via the undocumented "[main].dhcp=systemd" option in NetworkManager.conf.
Hence, this change is probably not very important either way.
See-also: https://bugzilla.redhat.com/show_bug.cgi?id=1959398
See-also: https://github.com/systemd/systemd/issues/16774
https://bugzilla.redhat.com/show_bug.cgi?id=1966123
CVE-2020-13529
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/898
-rw-r--r-- | src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c b/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c index b220f61dd2..94e43da395 100644 --- a/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c +++ b/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c @@ -1580,9 +1580,18 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, if (r != DHCP_FORCERENEW) return -ENOMSG; +#if 0 /* NM_IGNORED */ log_dhcp_client(client, "FORCERENEW"); return 0; +#else /* NM_IGNORED */ + /* NM: patch out the handling of FORCERENEW. We don't implement rfc3118 (Authentication + * for DHCP Messages) nor rfc6704 (Forcerenew Nonce Authentication) so accepting + * unauthenticated FORCERENEW requests is a security issue (CVE-2020-13529) + * See: https://github.com/systemd/systemd/issues/16774 */ + log_dhcp_client(client, "ignore FORCERENEW"); + return -ENOMSG; +#endif /* NM_IGNORED */ } static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { |