An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
Source: MITRE
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-06-13
Updated
2024-05-17
An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
Source: MITRE
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-06-13
Updated
2024-05-17
An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
Source: MITRE
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-06-13
Updated
2024-05-17
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.05%
Published
2023-03-03
Updated
2023-08-11
A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
Source: Red Hat, Inc.
Max CVSS
5.9
EPSS Score
0.10%
Published
2023-12-23
Updated
2024-05-22
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
Source: MITRE
Max CVSS
5.5
EPSS Score
0.04%
Published
2022-11-23
Updated
2023-03-01
A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.
Source: Red Hat, Inc.
Max CVSS
5.5
EPSS Score
0.04%
Published
2023-01-11
Updated
2023-02-02
An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.
Source: Red Hat, Inc.
Max CVSS
5.5
EPSS Score
0.04%
Published
2022-11-08
Updated
2023-06-29
A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.
Source: Red Hat, Inc.
Max CVSS
9.8
EPSS Score
0.21%
Published
2022-09-09
Updated
2023-01-20
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
Source: MITRE
Max CVSS
5.5
EPSS Score
0.04%
Published
2021-07-20
Updated
2022-06-14
A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.
Source: Red Hat, Inc.
Max CVSS
5.5
EPSS Score
0.06%
Published
2022-08-23
Updated
2023-05-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
Source: MITRE
Max CVSS
6.7
EPSS Score
0.04%
Published
2020-06-03
Updated
2022-01-31
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.
Source: Talos
Max CVSS
6.1
EPSS Score
0.14%
Published
2021-05-10
Updated
2022-10-07
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.
Source: Red Hat, Inc.
Max CVSS
7.8
EPSS Score
0.05%
Published
2020-03-31
Updated
2022-11-29
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.
Source: MITRE
Max CVSS
2.4
EPSS Score
0.13%
Published
2020-01-21
Updated
2022-01-28
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
Source: MITRE
Max CVSS
4.4
EPSS Score
0.07%
Published
2019-09-04
Updated
2022-02-20
An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
Source: MITRE
Max CVSS
5.5
EPSS Score
0.04%
Published
2019-03-21
Updated
2022-02-20
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
Source: Red Hat, Inc.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-04-26
Updated
2022-01-31
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.
Source: Red Hat, Inc.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-04-26
Updated
2022-01-31
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".
Source: Red Hat, Inc.
Max CVSS
7.0
EPSS Score
0.22%
Published
2019-04-09
Updated
2022-01-31
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)
Source: MITRE
Max CVSS
9.8
EPSS Score
0.82%
Published
2019-10-30
Updated
2024-05-17
systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.
Source: MITRE
Max CVSS
9.8
EPSS Score
1.75%
Published
2019-05-17
Updated
2022-02-20
It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.
Source: Red Hat, Inc.
Max CVSS
4.7
EPSS Score
0.04%
Published
2019-01-14
Updated
2022-01-31
An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.
Source: Red Hat, Inc.
Max CVSS
4.3
EPSS Score
0.04%
Published
2019-01-11
Updated
2023-02-13
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.
Source: Red Hat, Inc.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-01-11
Updated
2023-02-13
47 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!