-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Talos Security Advisory for Systemd DHCP (TALOS-2020-1142/CVE-2020-13529) #16774
Comments
@yuwata are there any news regarding this vulnerability? |
@klnSVM The issue is not fixed yet. If I remember correctly, we discussed and concluded that if we use DHCP protocol then such the vulnerability always exists. Also, we could not find any RFC to avoid or mitigate the issue... So, I think it is hard to fix the issue soon on systemd-networkd side. Please let me know if you know relevant RFCs. In short, we concluded that the vulnerability is not a issue of systemd-networkd but of DHCP protocol. @keszybz Do you have any follow-ups? |
Oh, I tried to find relevant RFCs again. Then, I found https://tools.ietf.org/html/rfc6704 which sounds related to the issue. |
I've not read RFC6704 in detail yet, but it should mitigate the issue. I will try to implement that. |
@CiscoTalos Hi, it would be great if your report at https://talosintelligence.com/vulnerability_reports/TALOS-2020-1142 could reference a specific commit instead of just "master", otherwise it is hard to follow the code references because code changes quickly. Thanks! |
Since the DHCP client doesn't implement rfc3118 (Authentication for DHCP Messages) nor rfc6704 (Forcerenew Nonce Authentication), wouldn't a simple fix be to ignore any FORCERENEW messages? If I am not wrong, then ISC's dhclient also does not support rfc3203/FORCERENEW, so this seems an acceptable thing not to support. And neither does nettools' n-dhcp4. |
is there any update on that? |
@StayPirate Unfortunately, not yet. |
This makes DHCP client ignore FORCERENEW requests, as unauthenticated FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). Let's re-enable this after RFC3118 (Authentication for DHCP Messages) and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. Fixes systemd#16774.
Fix is waiting in #20002. |
This makes DHCP client ignore FORCERENEW requests, as unauthenticated FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). Let's re-enable this after RFC3118 (Authentication for DHCP Messages) and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. Fixes systemd#16774.
This makes DHCP client ignore FORCERENEW requests, as unauthenticated FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). Let's re-enable this after RFC3118 (Authentication for DHCP Messages) and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. Fixes systemd#16774. (cherry picked from commit 38e980a) (cherry picked from commit 3ec1234) (cherry picked from commit f53d610)
Please review email issued to systemd-security at redhat dot com regarding this issue
The text was updated successfully, but these errors were encountered: