CVE-2020-1712 – systemd: use-after-free when asynchronous polkit queries are performed
https://notcve.org/view.php?id=CVE-2020-1712
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. Se detectó una vulnerabilidad uso de la memoria previamente liberada de la pila en systemd versiones anteriores a v245-rc1, donde se llevaron a cabo consultas de Polkit asincrónicas mientras se manejan mensajes dbus. Un atacante no privilegiado local puede abusar de este fallo para bloquear los servicios de systemd o potencialmente ejecutar código y elevar sus privilegios, mediante el envío de mensajes dbus especialmente diseñados. A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712 https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 https://lists.debian.org/debian-lts-announce/2022/06/msg00025.html https://www.openwall.com/lists/oss-security/2020/02/05/1 https://access.redhat.c • CWE-416: Use After Free •
CVE-2019-20386 – systemd: memory leak in button_open() in login/logind-button.c when udev events are received
https://notcve.org/view.php?id=CVE-2019-20386
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. Se detectó un problema en la función button_open en el archivo login/logind-button.c en systemd versiones anteriores a 243. Cuando se ejecuta el comando de activación udevadm, puede presentarse una pérdida de memoria. A memory leak was discovered in the systemd-login when a power-switch event is received. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZPCOMW5X6IZZXASCDD2CNW2DLF3YADC https://security.netapp.com/advisory/ntap-20200210-0002 https://usn.ubuntu.com/4269-1 https://access.redhat.com/security/cve/CVE-2019-20386 https://bugzilla.redhat.com/show_bug.cgi?id=1793979 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2018-21029
https://notcve.org/view.php?id=CVE-2018-21029
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent) ** EN DISPUTA ** systemd versiones 239 hasta la versión 245, acepta cualquier certificado firmado por parte de una autoridad de certificación de confianza para DNS Over TLS. La indicación de nombre de servidor (SNI) no se envía y no existe comprobación de nombre de host con el backend GnuTLS. NOTA: Esto ha sido discutido por el desarrollador como una vulnerabilidad, ya que la validación del hostname no tiene nada que ver con este problema (es decir, no hay ningún nombre de host que se envíe) • https://blog.cloudflare.com/dns-encryption-explained https://github.com/systemd/systemd/blob/v239/man/resolved.conf.xml#L199-L207 https://github.com/systemd/systemd/blob/v243/man/resolved.conf.xml#L196-L207 https://github.com/systemd/systemd/blob/v243/src/resolve/resolved-dnstls-gnutls.c#L62-L63 https://github.com/systemd/systemd/issues/9397 https://github.com/systemd/systemd/pull/13870 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NLJVOJMB6ANDI • CWE-295: Improper Certificate Validation •
CVE-2019-15718 – systemd: systemd-resolved allows unprivileged users to configure DNS
https://notcve.org/view.php?id=CVE-2019-15718
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings. En systemd versión 240, la función bus_open_system_watch_bind_with_description en el archivo shared/bus-util.c (como es usado en systemd-resolve para conectarse a la instancia del sistema D-Bus), llama a sd_bus_set_trusted, lo que deshabilita los controles de acceso para los mensajes entrantes de D-Bus. Un usuario no privilegiado puede explotar esto mediante la ejecución de métodos D-Bus que deberían estar restringidos para usuarios con privilegios, para cambiar la configuración de la resolución DNS. An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. • http://www.openwall.com/lists/oss-security/2019/09/03/1 https://access.redhat.com/errata/RHSA-2019:3592 https://access.redhat.com/errata/RHSA-2019:3941 https://bugzilla.redhat.com/show_bug.cgi?id=1746057 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B https://lists.fedoraproject.org/archives/list/package-announce% • CWE-285: Improper Authorization •
CVE-2018-20839
https://notcve.org/view.php?id=CVE-2018-20839
systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled. El systemd 242 cambia el VT1 mode al terminar la sesión, esto permite a los atacantes leer contraseñas de texto simple en algunas circunstancias, tales como ver un apagado o usar Ctrl-Alt-F1 y Ctrl-Alt-F2. Esto ocurre porque la comprobación KDGKBMODE (también conocido como modo de teclado actual) es manejada incorrectamente. • http://www.securityfocus.com/bid/108389 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f https://github.com/systemd/systemd/pull/12378 https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E https://security.netapp.com/advisory/ntap-20190530-0002 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •