CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-26604 – systemd: privilege escalation via the less pager
https://notcve.org/view.php?id=CVE-2023-26604
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output. A vulnerability was found in the systemd package. The systemd package does not adequately block local privilege escalation for some Sudo configurations, for example, plausible sudoers files, in which the "systemctl status" command may be executed. • https://github.com/Zenmovie/CVE-2023-26604 http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340 https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7 https://security.netapp.com/advisory/ntap-20230505-0009 https:& •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-45873 – systemd: deadlock in systemd-coredump via a crash with a long backtrace
https://notcve.org/view.php?id=CVE-2022-45873
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file. systemd 250 y 251 permiten a los usuarios locales lograr un punto muerto en systemd-coredump al desencadenar un bloqueo que tiene un largo backtrace. Esto ocurre en parse_elf_object enshared/elf-util.c. • https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437 https://github.com/systemd/systemd/pull/24853#issuecomment-1326561497 https://github.com/systemd/systemd/pull/25055#issuecomment-1313733553 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MS5N5SLYAHKENLAJWYBDKU55ICU3SVZF https://access.redhat.com/security/cve/CVE-2022-45873 https://bugzilla.redhat.com/show_bug.cgi?id=2149063 • CWE-400: Uncontrolled Resource Consumption CWE-833: Deadlock •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2022-3821 – systemd: buffer overrun in format_timespan() function
https://notcve.org/view.php?id=CVE-2022-3821
An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. Se descubrió un problema de error de uno en uno en Systemd en la función format_timespan() de time-util.c. Un atacante podría proporcionar valores específicos de tiempo y precisión que provoquen una saturación del búfer en format_timespan(), lo que provocará una Denegación de Servicio (DoS). An off-by-one error flaw was found in systemd in the format_timespan() function of time-util.c. • https://bugzilla.redhat.com/show_bug.cgi?id=2139327 https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e https://github.com/systemd/systemd/issues/23928 https://github.com/systemd/systemd/pull/23933 https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P https://security.gentoo.org/glsa/202305-15 https://access.redhat.com/security/cve/CVE-2022- • CWE-193: Off-by-one Error •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 2CVE-2021-33910 – systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash
https://notcve.org/view.php?id=CVE-2021-33910
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash. basic/unit-name.c en systemd anterior a las versiones 246.15, 247.8, 248.5 y 249.1 tiene una asignación de memoria con un valor de tamaño excesivo (que involucra a strdupa y alloca para un nombre de ruta controlado por un atacante local) que resulta en una caída del sistema operativo A flaw was found in systemd. The use of alloca function with an uncontrolled size in function unit_name_path_escape allows a local attacker, able to mount a filesystem on a very long path, to crash systemd and the whole system by allocating a very large space in the stack. The highest threat from this vulnerability is to the system availability. • http://packetstormsecurity.com/files/163621/Sequoia-A-Deep-Root-In-Linuxs-Filesystem-Layer.html http://www.openwall.com/lists/oss-security/2021/08/04/2 http://www.openwall.com/lists/oss-security/2021/08/17/3 http://www.openwall.com/lists/oss-security/2021/09/07/3 https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://github.com/systemd/systemd-stable/commit/4a1c5f34bd3e1daed4490e9d97918e504d19733b https://github.com/systemd/systemd-stable/commit/764b74113e36ac5219a4b82a05f311b5a92136ce • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.7EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13776 – systemd: Mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits
https://notcve.org/view.php?id=CVE-2020-13776
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082. systemd versiones hasta v245 maneja inapropiadamente los nombres de usuario numéricos, tales como los compuestos por dígitos decimales o 0x seguidos de dígitos hexadecimales, como es demostrado por el uso de privilegios root cuando era previsto privilegios de la cuenta de usuario 0x0. NOTA: este problema se presenta debido a una corrección incompleta para CVE-2017-1000082. A flaw was found in systemd, where it mishandles numerical usernames beginning with decimal digits, or "0x" followed by hexadecimal digits. When the usernames are used by systemd, for example in service units, an unexpected user may be used instead. • https://github.com/systemd/systemd/issues/15985 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYGLFEKG45EYBJ7TPQMLWROWPTZBEU63 https://security.netapp.com/advisory/ntap-20200611-0003 https://access.redhat.com/security/cve/CVE-2020-13776 https://bugzilla.redhat.com/show_bug.cgi?id=1845534 • CWE-269: Improper Privilege Management CWE-440: Expected Behavior Violation •