CVE-2019-20386 – systemd: memory leak in button_open() in login/logind-button.c when udev events are received
https://notcve.org/view.php?id=CVE-2019-20386
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. Se detectó un problema en la función button_open en el archivo login/logind-button.c en systemd versiones anteriores a 243. Cuando se ejecuta el comando de activación udevadm, puede presentarse una pérdida de memoria. A memory leak was discovered in the systemd-login when a power-switch event is received. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZPCOMW5X6IZZXASCDD2CNW2DLF3YADC https://security.netapp.com/advisory/ntap-20200210-0002 https://usn.ubuntu.com/4269-1 https://access.redhat.com/security/cve/CVE-2019-20386 https://bugzilla.redhat.com/show_bug.cgi?id=1793979 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2018-21029
https://notcve.org/view.php?id=CVE-2018-21029
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent) ** EN DISPUTA ** systemd versiones 239 hasta la versión 245, acepta cualquier certificado firmado por parte de una autoridad de certificación de confianza para DNS Over TLS. La indicación de nombre de servidor (SNI) no se envía y no existe comprobación de nombre de host con el backend GnuTLS. NOTA: Esto ha sido discutido por el desarrollador como una vulnerabilidad, ya que la validación del hostname no tiene nada que ver con este problema (es decir, no hay ningún nombre de host que se envíe) • https://blog.cloudflare.com/dns-encryption-explained https://github.com/systemd/systemd/blob/v239/man/resolved.conf.xml#L199-L207 https://github.com/systemd/systemd/blob/v243/man/resolved.conf.xml#L196-L207 https://github.com/systemd/systemd/blob/v243/src/resolve/resolved-dnstls-gnutls.c#L62-L63 https://github.com/systemd/systemd/issues/9397 https://github.com/systemd/systemd/pull/13870 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NLJVOJMB6ANDI • CWE-295: Improper Certificate Validation •
CVE-2019-15718 – systemd: systemd-resolved allows unprivileged users to configure DNS
https://notcve.org/view.php?id=CVE-2019-15718
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings. En systemd versión 240, la función bus_open_system_watch_bind_with_description en el archivo shared/bus-util.c (como es usado en systemd-resolve para conectarse a la instancia del sistema D-Bus), llama a sd_bus_set_trusted, lo que deshabilita los controles de acceso para los mensajes entrantes de D-Bus. Un usuario no privilegiado puede explotar esto mediante la ejecución de métodos D-Bus que deberían estar restringidos para usuarios con privilegios, para cambiar la configuración de la resolución DNS. An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. • http://www.openwall.com/lists/oss-security/2019/09/03/1 https://access.redhat.com/errata/RHSA-2019:3592 https://access.redhat.com/errata/RHSA-2019:3941 https://bugzilla.redhat.com/show_bug.cgi?id=1746057 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B https://lists.fedoraproject.org/archives/list/package-announce% • CWE-285: Improper Authorization •
CVE-2019-3843 – systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process
https://notcve.org/view.php?id=CVE-2019-3843
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. Se descubrió que un servicio systemd que utiliza la propiedad DynamicUser puede crear un binario SUID/SGID que podría ejecutarse como servicio transitorio UID/GID incluso después de que el servicio haya terminado. Un atacante local puede utilizar esta vulnerabilidad para acceder a recursos que serán propiedad de un servicio potencialmente diferente en el futuro, cuando el UID/GID sea reciclado. It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. • https://www.exploit-db.com/exploits/46760 http://www.securityfocus.com/bid/108116 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES https://security.netap • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVE-2019-3844 – systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process
https://notcve.org/view.php?id=CVE-2019-3844
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled. Se ha descubierto una vulnerabilidad en el servicio systemd que utilice la propiedad DynamicUser pudiendo obtener nuevos privilegios a través de la ejecución de binarios SUID, los cuales podrían permitir crear binarios pertenecientes al servicio transient group con el bit setgid, Un atacante local podría utilizar este fallo para acceder a recursos que pertenezcan a otro servicio futuro cuando el GID fuese reciclado. It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow a cooperating process to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the GID will be recycled. • https://www.exploit-db.com/exploits/46760 http://www.securityfocus.com/bid/108096 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://security.netapp.com/advisory/ntap-20190619-0002 https://usn.ubuntu.com/4269-1 https://access.redhat.com/security/cve • CWE-268: Privilege Chaining •