CVSS: 2.4EPSS: 0%CPEs: 9EXPL: 0CVE-2019-20386 – systemd: memory leak in button_open() in login/logind-button.c when udev events are received
https://notcve.org/view.php?id=CVE-2019-20386
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. Se detectó un problema en la función button_open en el archivo login/logind-button.c en systemd versiones anteriores a 243. Cuando se ejecuta el comando de activación udevadm, puede presentarse una pérdida de memoria. A memory leak was discovered in the systemd-login when a power-switch event is received. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZPCOMW5X6IZZXASCDD2CNW2DLF3YADC https://security.netapp.com/advisory/ntap-20200210-0002 https://usn.ubuntu.com/4269-1 https://access.redhat.com/security/cve/CVE-2019-20386 https://bugzilla.redhat.com/show_bug.cgi?id=1793979 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2018-21029
https://notcve.org/view.php?id=CVE-2018-21029
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent) ** EN DISPUTA ** systemd versiones 239 hasta la versión 245, acepta cualquier certificado firmado por parte de una autoridad de certificación de confianza para DNS Over TLS. La indicación de nombre de servidor (SNI) no se envía y no existe comprobación de nombre de host con el backend GnuTLS. NOTA: Esto ha sido discutido por el desarrollador como una vulnerabilidad, ya que la validación del hostname no tiene nada que ver con este problema (es decir, no hay ningún nombre de host que se envíe) • https://blog.cloudflare.com/dns-encryption-explained https://github.com/systemd/systemd/blob/v239/man/resolved.conf.xml#L199-L207 https://github.com/systemd/systemd/blob/v243/man/resolved.conf.xml#L196-L207 https://github.com/systemd/systemd/blob/v243/src/resolve/resolved-dnstls-gnutls.c#L62-L63 https://github.com/systemd/systemd/issues/9397 https://github.com/systemd/systemd/pull/13870 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NLJVOJMB6ANDI • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 29EXPL: 1CVE-2019-15718 – systemd: systemd-resolved allows unprivileged users to configure DNS
https://notcve.org/view.php?id=CVE-2019-15718
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings. En systemd versión 240, la función bus_open_system_watch_bind_with_description en el archivo shared/bus-util.c (como es usado en systemd-resolve para conectarse a la instancia del sistema D-Bus), llama a sd_bus_set_trusted, lo que deshabilita los controles de acceso para los mensajes entrantes de D-Bus. Un usuario no privilegiado puede explotar esto mediante la ejecución de métodos D-Bus que deberían estar restringidos para usuarios con privilegios, para cambiar la configuración de la resolución DNS. An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. • http://www.openwall.com/lists/oss-security/2019/09/03/1 https://access.redhat.com/errata/RHSA-2019:3592 https://access.redhat.com/errata/RHSA-2019:3941 https://bugzilla.redhat.com/show_bug.cgi?id=1746057 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B https://lists.fedoraproject.org/archives/list/package-announce% • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-20839
https://notcve.org/view.php?id=CVE-2018-20839
systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled. El systemd 242 cambia el VT1 mode al terminar la sesión, esto permite a los atacantes leer contraseñas de texto simple en algunas circunstancias, tales como ver un apagado o usar Ctrl-Alt-F1 y Ctrl-Alt-F2. Esto ocurre porque la comprobación KDGKBMODE (también conocido como modo de teclado actual) es manejada incorrectamente. • http://www.securityfocus.com/bid/108389 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f https://github.com/systemd/systemd/pull/12378 https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E https://security.netapp.com/advisory/ntap-20190530-0002 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 1CVE-2019-3843 – systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process
https://notcve.org/view.php?id=CVE-2019-3843
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. Se descubrió que un servicio systemd que utiliza la propiedad DynamicUser puede crear un binario SUID/SGID que podría ejecutarse como servicio transitorio UID/GID incluso después de que el servicio haya terminado. Un atacante local puede utilizar esta vulnerabilidad para acceder a recursos que serán propiedad de un servicio potencialmente diferente en el futuro, cuando el UID/GID sea reciclado. It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. • https://www.exploit-db.com/exploits/46760 http://www.securityfocus.com/bid/108116 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES https://security.netap • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •