CVE-2018-15686 – systemd: reexec state injection: fgets() on overlong lines leads to line splitting
https://notcve.org/view.php?id=CVE-2018-15686
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239. Una vulnerabilidad en unit_deserialize de systemd permite que un atacante proporcione estados arbitrarios en la reejecución de systemd mediante NotifyAccess. Esto puede emplearse para influenciar incorrectamente la ejecución de systemd y podría conducir a un escalado de privilegios root. • https://www.exploit-db.com/exploits/45714 http://www.securityfocus.com/bid/105747 https://access.redhat.com/errata/RHSA-2019:2091 https://access.redhat.com/errata/RHSA-2019:3222 https://access.redhat.com/errata/RHSA-2020:0593 https://github.com/systemd/systemd/pull/10519 https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html https://security.gentoo.org/gl • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVE-2018-6954
https://notcve.org/view.php?id=CVE-2018-6954
systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on. systemd-tmpfiles en systemd, hasta 237, gestiona de manera incorrecta los vínculos simbólicos presentes en componentes de ruta no terminales. Esto permite que usuarios locales se hagan dueños de archivos arbitrarios mediante vectores relacionados con la creación de un directorio y un archivo bajo ese directorio para, posteriormente, reemplazarlo por un vínculo simbólico. Esto ocurre incluso aunque el sysctl fs.protected_symlinks esté activado. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html https://github.com/systemd/systemd/issues/7986 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://usn.ubuntu.com/3816-1 https://usn.ubuntu.com/3816-2 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-18078 – systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-18078
systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file. systemd-tmpfiles en systemd en versiones anteriores a la 237 intenta soportar cambios de propiedad/permisos en archivos con vínculos permanentes incluso aunque el sysctl fs.protected_hardlinks esté apagado. Esto permite que usuarios locales omitan las restricciones de acceso planeadas mediante vectores relacionados con un enlace permanente a un archivo para el que el usuario no tiene acceso de escritura, tal y como demuestra el cambio de propiedad del archivo /etc/passwd. systemd (systemd-tmpfiles) versions prior to 236 suffer from an fs.protected_hardlinks=0 local privilege escalation vulnerability. • https://www.exploit-db.com/exploits/43935 http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html http://www.openwall.com/lists/oss-security/2018/01/29/3 https://github.com/systemd/systemd/issues/7736 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkee • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-15908 – systemd Network Name Resolution Manager NSEC Resource Record Pseudo-Types Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2017-15908
In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service. En systemd 223 hasta 235, un servidor DNS remoto puede responder con un registro de recurso DNS NSEC manipulado de forma personalizada para desencadenar un bucle infinito en la función dns_packet_read_type_window() del servicio "systemd-resolved" y provocar una denegación de servicio en el servicio afectado. This vulnerability allows remote attackers to cause a denial of service condition on vulnerable installations of systemd Network Name Resolution Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NSEC resource records in systemd-resolved. The issue results from the lack of proper handling of the pseudo-types in the NSEC bitmap which causes an infinite loop. • http://www.securityfocus.com/bid/101600 http://www.securitytracker.com/id/1039662 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351 https://github.com/systemd/systemd/pull/7184 https://usn.ubuntu.com/3558-1 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2013-4392
https://notcve.org/view.php?id=CVE-2013-4392
systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd, cuando actualiza los permisos de los archivos, permite a usuarios locales cambiar los permisos y el contextos de seguridad de SELinux para los archivos de su elección a través de un ataque de enlaces simbólicos en los ficheros especificados. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357 http://www.openwall.com/lists/oss-security/2013/10/01/9 https://bugzilla.redhat.com/show_bug.cgi?id=859060 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •