CVE-2023-26604 – systemd: privilege escalation via the less pager
https://notcve.org/view.php?id=CVE-2023-26604
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output. A vulnerability was found in the systemd package. The systemd package does not adequately block local privilege escalation for some Sudo configurations, for example, plausible sudoers files, in which the "systemctl status" command may be executed. • https://github.com/Zenmovie/CVE-2023-26604 http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340 https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7 https://security.netapp.com/advisory/ntap-20230505-0009 https:& •
CVE-2022-3821 – systemd: buffer overrun in format_timespan() function
https://notcve.org/view.php?id=CVE-2022-3821
An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. Se descubrió un problema de error de uno en uno en Systemd en la función format_timespan() de time-util.c. Un atacante podría proporcionar valores específicos de tiempo y precisión que provoquen una saturación del búfer en format_timespan(), lo que provocará una Denegación de Servicio (DoS). An off-by-one error flaw was found in systemd in the format_timespan() function of time-util.c. • https://bugzilla.redhat.com/show_bug.cgi?id=2139327 https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e https://github.com/systemd/systemd/issues/23928 https://github.com/systemd/systemd/pull/23933 https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P https://security.gentoo.org/glsa/202305-15 https://access.redhat.com/security/cve/CVE-2022- • CWE-193: Off-by-one Error •
CVE-2021-3997
https://notcve.org/view.php?id=CVE-2021-3997
A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp. Se ha encontrado un fallo en systemd. Una recursión no controlada en systemd-tmpfiles puede conllevar a una denegación de servicio en el momento del arranque cuando son creados demasiados directorios anidados en /tmp. • https://access.redhat.com/security/cve/CVE-2021-3997 https://bugzilla.redhat.com/show_bug.cgi?id=2024639 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1 https://security.gentoo.org/glsa/202305-15 https://www.openwall.com/lists/oss-security/2022/01/10/2 • CWE-674: Uncontrolled Recursion •
CVE-2021-33910 – systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash
https://notcve.org/view.php?id=CVE-2021-33910
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash. basic/unit-name.c en systemd anterior a las versiones 246.15, 247.8, 248.5 y 249.1 tiene una asignación de memoria con un valor de tamaño excesivo (que involucra a strdupa y alloca para un nombre de ruta controlado por un atacante local) que resulta en una caída del sistema operativo A flaw was found in systemd. The use of alloca function with an uncontrolled size in function unit_name_path_escape allows a local attacker, able to mount a filesystem on a very long path, to crash systemd and the whole system by allocating a very large space in the stack. The highest threat from this vulnerability is to the system availability. • http://packetstormsecurity.com/files/163621/Sequoia-A-Deep-Root-In-Linuxs-Filesystem-Layer.html http://www.openwall.com/lists/oss-security/2021/08/04/2 http://www.openwall.com/lists/oss-security/2021/08/17/3 http://www.openwall.com/lists/oss-security/2021/09/07/3 https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://github.com/systemd/systemd-stable/commit/4a1c5f34bd3e1daed4490e9d97918e504d19733b https://github.com/systemd/systemd-stable/commit/764b74113e36ac5219a4b82a05f311b5a92136ce • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2020-13529 – systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured
https://notcve.org/view.php?id=CVE-2020-13529
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server. Se presenta una vulnerabilidad de denegación de servicio explotable en Systemd 245. Un paquete DHCP FORCERENEW especialmente diseñado puede hacer que un servidor que ejecuta el cliente DHCP sea vulnerable a un ataque de suplantación de DHCP ACK. • http://www.openwall.com/lists/oss-security/2021/08/04/2 http://www.openwall.com/lists/oss-security/2021/08/17/3 http://www.openwall.com/lists/oss-security/2021/09/07/3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TMJVNYRY65B4QCJICBYOEIVZV3KUYI https://security.gentoo.org/glsa/202107-48 https://security.netapp.com/advisory/ntap-20210625-0005 https://talosintelligence.com/vulnerability_reports/TALOS-2020-1142 https://access.redhat.com/securit • CWE-290: Authentication Bypass by Spoofing CWE-306: Missing Authentication for Critical Function •