From 1441b04bbad677caf4a58c293ff6730b319a91df Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Thu, 17 Jun 2021 17:04:12 +0200
Subject: [PATCH] dhcp/systemd: ignore FORCERENEW requests for DHCPV4 to
 workaround CVE-2020-13529

The FORCERENEW reqest was not authenticated (because neither rfc3118 nor
rfc6704) is implemented. That is a potential security issue.

As workaround, patch the source to ignore those requests. Note that also
nettools implementation ignores FORCERENEW requests, so if there would
be a need to handle them, then it would be important to improve the
nettools code (which is the main implementation).

The systemd DHCP plugin is no longer used by default. The user explicitly has to
enable it via the undocumented "[main].dhcp=systemd" option in NetworkManager.conf.
Hence, this change is probably not very important either way.

See-also: https://bugzilla.redhat.com/show_bug.cgi?id=1959398
See-also: https://github.com/systemd/systemd/issues/16774
https://bugzilla.redhat.com/show_bug.cgi?id=1966123
CVE-2020-13529

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/898
---
 .../src/libsystemd-network/sd-dhcp-client.c              | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c b/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c
index b220f61dd2..94e43da395 100644
--- a/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libnm-systemd-core/src/libsystemd-network/sd-dhcp-client.c
@@ -1580,9 +1580,18 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
         if (r != DHCP_FORCERENEW)
                 return -ENOMSG;
 
+#if 0 /* NM_IGNORED */
         log_dhcp_client(client, "FORCERENEW");
 
         return 0;
+#else /* NM_IGNORED */
+        /* NM: patch out the handling of FORCERENEW. We don't implement rfc3118 (Authentication
+         * for DHCP Messages) nor rfc6704 (Forcerenew Nonce Authentication) so accepting
+         * unauthenticated FORCERENEW requests is a security issue (CVE-2020-13529)
+         * See: https://github.com/systemd/systemd/issues/16774 */
+        log_dhcp_client(client, "ignore FORCERENEW");
+        return -ENOMSG;
+#endif /* NM_IGNORED */
 }
 
 static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {