CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1712 – systemd: use-after-free when asynchronous polkit queries are performed
https://notcve.org/view.php?id=CVE-2020-1712
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. Se detectó una vulnerabilidad uso de la memoria previamente liberada de la pila en systemd versiones anteriores a v245-rc1, donde se llevaron a cabo consultas de Polkit asincrónicas mientras se manejan mensajes dbus. Un atacante no privilegiado local puede abusar de este fallo para bloquear los servicios de systemd o potencialmente ejecutar código y elevar sus privilegios, mediante el envío de mensajes dbus especialmente diseñados. A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712 https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 https://lists.debian.org/debian-lts-announce/2022/06/msg00025.html https://www.openwall.com/lists/oss-security/2020/02/05/1 https://access.redhat.c • CWE-416: Use After Free •
CVSS: 2.4EPSS: 0%CPEs: 9EXPL: 0CVE-2019-20386 – systemd: memory leak in button_open() in login/logind-button.c when udev events are received
https://notcve.org/view.php?id=CVE-2019-20386
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. Se detectó un problema en la función button_open en el archivo login/logind-button.c en systemd versiones anteriores a 243. Cuando se ejecuta el comando de activación udevadm, puede presentarse una pérdida de memoria. A memory leak was discovered in the systemd-login when a power-switch event is received. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZPCOMW5X6IZZXASCDD2CNW2DLF3YADC https://security.netapp.com/advisory/ntap-20200210-0002 https://usn.ubuntu.com/4269-1 https://access.redhat.com/security/cve/CVE-2019-20386 https://bugzilla.redhat.com/show_bug.cgi?id=1793979 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2018-21029
https://notcve.org/view.php?id=CVE-2018-21029
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent) ** EN DISPUTA ** systemd versiones 239 hasta la versión 245, acepta cualquier certificado firmado por parte de una autoridad de certificación de confianza para DNS Over TLS. La indicación de nombre de servidor (SNI) no se envía y no existe comprobación de nombre de host con el backend GnuTLS. NOTA: Esto ha sido discutido por el desarrollador como una vulnerabilidad, ya que la validación del hostname no tiene nada que ver con este problema (es decir, no hay ningún nombre de host que se envíe) • https://blog.cloudflare.com/dns-encryption-explained https://github.com/systemd/systemd/blob/v239/man/resolved.conf.xml#L199-L207 https://github.com/systemd/systemd/blob/v243/man/resolved.conf.xml#L196-L207 https://github.com/systemd/systemd/blob/v243/src/resolve/resolved-dnstls-gnutls.c#L62-L63 https://github.com/systemd/systemd/issues/9397 https://github.com/systemd/systemd/pull/13870 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NLJVOJMB6ANDI • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-20839
https://notcve.org/view.php?id=CVE-2018-20839
systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled. El systemd 242 cambia el VT1 mode al terminar la sesión, esto permite a los atacantes leer contraseñas de texto simple en algunas circunstancias, tales como ver un apagado o usar Ctrl-Alt-F1 y Ctrl-Alt-F2. Esto ocurre porque la comprobación KDGKBMODE (también conocido como modo de teclado actual) es manejada incorrectamente. • http://www.securityfocus.com/bid/108389 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f https://github.com/systemd/systemd/pull/12378 https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E https://security.netapp.com/advisory/ntap-20190530-0002 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 2CVE-2019-3842 – systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit
https://notcve.org/view.php?id=CVE-2019-3842
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any". En systemd anterior de la versión v242-rc4, fue encontrado que pam_systemd no sanea apropiadamente el entorno anterior usando la variable XDG_SEAT. Es posible que un atacante, en ciertas configuraciones particulares, establezca una variable de entorno XDG_SEAT que permita comprobar los comandos contra las políticas polkit utilizando el elemento "allow_active" en lugar de "allow_any". It was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. • https://www.exploit-db.com/exploits/46743 http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html http://packetstormsecurity.com/files/152610/systemd-Seat-Verification-Active-Session-Spoofing.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3842 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https:// • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •