CVE-2020-1712: 
NixOS vulnerability analysis and mitigation

CVE-2020-1712 is a heap use-after-free vulnerability discovered in systemd before version v245-rc1. The vulnerability was identified in the way asynchronous Polkit queries are performed while handling dbus messages. The issue was reported by Tavis Ormandy from Google Project Zero and was publicly disclosed on February 5, 2020 (OSS Security).

The vulnerability occurs in the bus_verify_polkit_async() function. When DBus interfaces use a cache to store objects temporarily and clear it when the bus returns to idle state, a race condition can occur. If a DBus method uses bus_verify_polkit_async(), it must wait for the polkit action to resolve before the method handler is called again with previously allocated userdata. If the polkit request takes too long, the cache clearing mechanism may free the stored objects before the second method call, resulting in a use-after-free condition (OSS Security). The vulnerability has a CVSS v3.1 Base Score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

A local unprivileged attacker can exploit this vulnerability to crash systemd services or potentially execute code and elevate their privileges by sending specially crafted dbus messages. The vulnerability particularly affects the systemd-machined service's DBus API through the org.freedesktop.machine1.Image interface, which is accessible to all users (Red Hat Bugzilla).

The vulnerability was fixed in systemd v245-rc1 through a series of commits. The fix involves changes to the way asynchronous Polkit queries are handled, including the introduction of a new API for re-enqueuing incoming messages and modifications to how callback/userdata is resolved (GitHub Commits). Users are recommended to upgrade to a version of systemd that includes these fixes.