CVE-2022-45873

systemd: deadlock in systemd-coredump via a crash with a long backtrace

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.

systemd 250 y 251 permiten a los usuarios locales lograr un punto muerto en systemd-coredump al desencadenar un bloqueo que tiene un largo backtrace. Esto ocurre en parse_elf_object enshared/elf-util.c. La metodología de explotación consiste en bloquear un binario que llama a la misma función de forma recursiva y colocarlo en un directorio profundamente anidado para que su seguimiento sea lo suficientemente grande como para provocar el punto muerto. Esto se debe hacer 16 veces cuando se establece MaxConnections=16 para el archivo systemd/units/systemd-coredump.socket.

A flaw was found in the systemd-coredump utility of systemd. When an application crashes, the systemd-coredump utility is called twice, once by the kernel and the second time in the systemd-coredump@.service to write the data, process, and save the core file. Communication between the programs is made through a pipe, and when there is too much data through a long backtrace or many linked libraries, the pipe blocks while waiting for the data, resulting in a timeout of the systemd-coredump@.service.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-11-23 CVE Reserved
2022-11-23 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-833: Deadlock

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437	2023-11-07
https://github.com/systemd/systemd/pull/24853#issuecomment-1326561497	2023-11-07
https://github.com/systemd/systemd/pull/25055#issuecomment-1313733553	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MS5N5SLYAHKENLAJWYBDKU55ICU3SVZF	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-45873	2023-02-28
https://bugzilla.redhat.com/show_bug.cgi?id=2149063	2023-02-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Systemd Project Search vendor "Systemd Project"		Systemd Search vendor "Systemd Project" for product "Systemd"				>= 250 <= 251 Search vendor "Systemd Project" for product "Systemd" and version " >= 250 <= 251"		-		Affected
Systemd Project Search vendor "Systemd Project"		Systemd Search vendor "Systemd Project" for product "Systemd"				252 Search vendor "Systemd Project" for product "Systemd" and version "252"		rc1		Affected
Systemd Project Search vendor "Systemd Project"		Systemd Search vendor "Systemd Project" for product "Systemd"				252 Search vendor "Systemd Project" for product "Systemd" and version "252"		rc2		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected