CVE-2018-15686
systemd: reexec state injection: fgets() on overlong lines leads to line splitting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
Una vulnerabilidad en unit_deserialize de systemd permite que un atacante proporcione estados arbitrarios en la reejecución de systemd mediante NotifyAccess. Esto puede emplearse para influenciar incorrectamente la ejecución de systemd y podría conducir a un escalado de privilegios root. Las versiones afectadas de systemd son todas hasta la 239 incluida.
It was discovered that systemd is vulnerable to a state injection attack when deserializing the state of a service. Properties longer than LINE_MAX are not correctly parsed and an attacker may abuse this flaw in particularly configured services to inject, change, or corrupt the service state.
Linux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-08-22 CVE Reserved
- 2018-10-26 CVE Published
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- 2024-10-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (13)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/105747 | Third Party Advisory | |
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E | Mailing List | |
https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html | Mailing List | |
https://www.oracle.com//security-alerts/cpujul2021.html | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/45714 | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://github.com/systemd/systemd/pull/10519 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:2091 | 2023-11-07 | |
https://access.redhat.com/errata/RHSA-2019:3222 | 2023-11-07 | |
https://access.redhat.com/errata/RHSA-2020:0593 | 2023-11-07 | |
https://security.gentoo.org/glsa/201810-10 | 2023-11-07 | |
https://usn.ubuntu.com/3816-1 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2018-15686 | 2020-04-01 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1639071 | 2020-04-01 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | esm |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Systemd Project Search vendor "Systemd Project" | Systemd Search vendor "Systemd Project" for product "Systemd" | <= 239 Search vendor "Systemd Project" for product "Systemd" and version " <= 239" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 1.4.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.4.0" | - |
Affected
|