Vulnerabilities > CVE-2018-15688 - Classic Buffer Overflow vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.

Vulnerable Configurations

Part Description Count
Application
Systemd_Project
128
OS
Debian
1
OS
Canonical
3
OS
Redhat
6

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3665.NASL
    descriptionAn update for NetworkManager is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, as well as providing VPN integration with a variety of different VPN services. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting this issue. Upstream acknowledges Felix Wilhelm (Google) as the original reporter.
    last seen2020-06-01
    modified2020-06-02
    plugin id119172
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119172
    titleRHEL 7 : NetworkManager (RHSA-2018:3665)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3665. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119172);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/08");
    
      script_cve_id("CVE-2018-15688");
      script_xref(name:"RHSA", value:"2018:3665");
    
      script_name(english:"RHEL 7 : NetworkManager (RHSA-2018:3665)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "An update for NetworkManager is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    NetworkManager is a system network service that manages network
    devices and connections, attempting to keep active network
    connectivity when available. Its capabilities include managing
    Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, as
    well as providing VPN integration with a variety of different VPN
    services.
    
    Security Fix(es) :
    
    * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option
    handling (CVE-2018-15688)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Ubuntu Security Team for reporting this
    issue. Upstream acknowledges Felix Wilhelm (Google) as the original
    reporter."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3665"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-15688"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-adsl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-bluetooth");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-config-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-dispatcher-routing-rules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-glib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-glib-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-libnm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-libnm-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-ovs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-ppp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-team");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-tui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-wifi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:NetworkManager-wwan");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/27");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3665";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-adsl-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-adsl-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-bluetooth-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-bluetooth-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-config-server-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-debuginfo-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-dispatcher-routing-rules-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-glib-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-glib-devel-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-libnm-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"NetworkManager-libnm-devel-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-ovs-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-ovs-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-ppp-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-ppp-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-team-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-team-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-tui-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-tui-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-wifi-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-wifi-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"NetworkManager-wwan-1.12.0-8.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"NetworkManager-wwan-1.12.0-8.el7_6")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "NetworkManager / NetworkManager-adsl / NetworkManager-bluetooth / etc");
      }
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190114_SYSTEMD_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865)
    last seen2020-03-18
    modified2019-01-16
    plugin id121204
    published2019-01-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121204
    titleScientific Linux Security Update : systemd on SL7.x x86_64 (20190114)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121204);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");
    
      script_cve_id("CVE-2018-15688", "CVE-2018-16864", "CVE-2018-16865");
    
      script_name(english:"Scientific Linux Security Update : systemd on SL7.x x86_64 (20190114)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - systemd: Out-of-bounds heap write in systemd-networkd
        dhcpv6 option handling (CVE-2018-15688)
    
      - systemd: stack overflow when calling syslog from a
        command with long cmdline (CVE-2018-16864)
    
      - systemd: stack overflow when receiving many journald
        entries (CVE-2018-16865)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1901&L=SCIENTIFIC-LINUX-ERRATA&P=1419
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d4495fb7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libgudev1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libgudev1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-journal-gateway");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-networkd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-resolved");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-sysv");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/16");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libgudev1-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libgudev1-devel-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-debuginfo-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-devel-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-journal-gateway-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-libs-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-networkd-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-python-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-resolved-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-sysv-219-62.el7_6.2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libgudev1 / libgudev1-devel / systemd / systemd-debuginfo / etc");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0193_SYSTEMD.NASL
    descriptionAn update of the systemd package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121894
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121894
    titlePhoton OS 1.0: Systemd PHSA-2018-1.0-0193
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-24BD6C9D4A.NASL
    description - Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1643367) - Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1643372) - Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1643362) - Downgrade logging of various messages and add loging in other places - Many many fixes in error handling and minor memory leaks and such - Fix typos and omissions in documentation - Various smaller improvements to unit ordering and dependencies - Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues - The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents. - Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user threads are used by bpfilter. - Catalog entries for the journal are improved (#1639482) No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120295
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120295
    titleFedora 28 : systemd (2018-24bd6c9d4a)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1416.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges.(CVE-2018-16864) - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.(CVE-2018-16865) - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id124919
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124919
    titleEulerOS Virtualization 3.0.1.0 : systemd (EulerOS-SA-2019-1416)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1322.NASL
    descriptionAccording to the version of the NetworkManager packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-05-01
    plugin id124449
    published2019-05-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124449
    titleEulerOS 2.0 SP3 : NetworkManager (EulerOS-SA-2019-1322)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1144.NASL
    descriptionIt was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-03-17
    modified2019-01-10
    plugin id121053
    published2019-01-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121053
    titleAmazon Linux 2 : NetworkManager (ALAS-2019-1144)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181127_NETWORKMANAGER_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688)
    last seen2020-03-18
    modified2018-11-28
    plugin id119249
    published2018-11-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119249
    titleScientific Linux Security Update : NetworkManager on SL7.x x86_64 (20181127)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1233.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.i1/4^CVE-2018-16865i1/4%0 - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-03-19
    modified2019-04-04
    plugin id123701
    published2019-04-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123701
    titleEulerOS Virtualization 2.5.4 : systemd (EulerOS-SA-2019-1233)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3767-2.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: dhcp6: split assert_return() to be more debuggable when hit core: skip unit deserialization and move to the next one when unit_deserialize() fails core: properly handle deserialization of unknown unit types (#6476) core: don
    last seen2020-06-01
    modified2020-06-02
    plugin id119575
    published2018-12-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119575
    titleSUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2018:3767-2)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1045.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) - systemd: Assertion failure when PID 1 receives a zero-length message over notify socket(CVE-2016-7795) - systemd: Unsafe handling of hard links allowing privilege escalation(CVE-2017-18078) - systemd: Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new(CVE-2017-9445) - systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-15
    plugin id122218
    published2019-02-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122218
    titleEulerOS 2.0 SP5 : systemd (EulerOS-SA-2019-1045)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1119.NASL
    descriptionAccording to the version of the NetworkManager packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-04-02
    plugin id123593
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123593
    titleEulerOS 2.0 SP2 : NetworkManager (EulerOS-SA-2019-1119)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1580.NASL
    descriptionsystemd was found to suffer from multiple security vulnerabilities ranging from denial of service attacks to possible root privilege escalation. CVE-2018-1049 A race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted. CVE-2018-15686 A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. CVE-2018-15688 A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd, which is not enabled by default in Debian. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id119039
    published2018-11-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119039
    titleDebian DLA-1580-1 : systemd security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1160.NASL
    descriptionAn allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate privileges.(CVE-2018-16864) It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id122161
    published2019-02-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122161
    titleAmazon Linux 2 : systemd (ALAS-2019-1160)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-0049.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.
    last seen2020-06-01
    modified2020-06-02
    plugin id121192
    published2019-01-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121192
    titleCentOS 7 : systemd (CESA-2019:0049)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1107.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) - systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-03-26
    plugin id123120
    published2019-03-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123120
    titleEulerOS 2.0 SP3 : systemd (EulerOS-SA-2019-1107)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0049_NETWORKMANAGER.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has NetworkManager packages installed that are affected by a vulnerability: - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id127232
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127232
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : NetworkManager Vulnerability (NS-SA-2019-0049)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-FC3018B1BD.NASL
    descriptiondhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-11-16
    plugin id119009
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119009
    titleFedora 27 : 1:NetworkManager (2018-fc3018b1bd)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-909.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed : - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don
    last seen2020-06-01
    modified2020-06-02
    plugin id123371
    published2019-03-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123371
    titleopenSUSE Security Update : systemd (openSUSE-2019-909)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-0049.NASL
    descriptionFrom Red Hat Security Advisory 2019:0049 : An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.
    last seen2020-06-01
    modified2020-06-02
    plugin id121172
    published2019-01-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121172
    titleOracle Linux 7 : systemd (ELSA-2019-0049)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1412.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.(CVE-2018-16864) - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.(CVE-2018-16865) - An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).(CVE-2019-6454) - A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service.(CVE-2018-1049) - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id124915
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124915
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : systemd (EulerOS-SA-2019-1412)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3807-1.NASL
    descriptionFelix Wilhelm discovered that the NetworkManager internal DHCPv6 client incorrectly handled certain DHCPv6 messages. In non-default configurations where the internal DHCP client is enabled, an attacker on the same network could use this issue to cause NetworkManager to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118751
    published2018-11-06
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118751
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 : network-manager vulnerability (USN-3807-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0193_LIBXML2.NASL
    descriptionAn update of the libxml2 package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121893
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121893
    titlePhoton OS 1.0: Libxml2 PHSA-2018-1.0-0193
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3665.NASL
    descriptionFrom Red Hat Security Advisory 2018:3665 : An update for NetworkManager is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, as well as providing VPN integration with a variety of different VPN services. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting this issue. Upstream acknowledges Felix Wilhelm (Google) as the original reporter.
    last seen2020-06-01
    modified2020-06-02
    plugin id119248
    published2018-11-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119248
    titleOracle Linux 7 : NetworkManager (ELSA-2018-3665)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3767-1.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: dhcp6: split assert_return() to be more debuggable when hit core: skip unit deserialization and move to the next one when unit_deserialize() fails core: properly handle deserialization of unknown unit types (#6476) core: don
    last seen2020-06-01
    modified2020-06-02
    plugin id118965
    published2018-11-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118965
    titleSUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2018:3767-1)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0051_SYSTEMD.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has systemd packages installed that are affected by multiple vulnerabilities: - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id127236
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127236
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : systemd Multiple Vulnerabilities (NS-SA-2019-0051)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-C402EEA18B.NASL
    description - Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1639076) - Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1639071) - Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1639067) - The DHCP server is started only when link is UP - DHCPv6 prefix delegation is improved - Downgrade logging of various messages and add loging in other places - Many many fixes in error handling and minor memory leaks and such - Fix typos and omissions in documentation - Typo in %%_environmnentdir rpm macro is fixed (with backwards compatibility preserved) - Matching by MACAddress= in systemd-networkd is fixed - Creation of user runtime directories is improved, and the user manager is only stopped after 10 s after the user logs out (#1642460 and other bugs) - systemd units systemd-timesyncd, systemd-resolved, systemd-networkd are switched back to use DynamicUser=0 - Aliases are now resolved when loading modules from pid1. This is a (redundant) fix for a brief kernel regression. -
    last seen2020-06-05
    modified2019-01-03
    plugin id120769
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120769
    titleFedora 29 : systemd (2018-c402eea18b)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0107_SYSTEMD.NASL
    descriptionAn update of the systemd package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id122002
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122002
    titlePhoton OS 2.0: Systemd PHSA-2018-2.0-0107
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3665.NASL
    descriptionAn update for NetworkManager is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, as well as providing VPN integration with a variety of different VPN services. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting this issue. Upstream acknowledges Felix Wilhelm (Google) as the original reporter.
    last seen2020-04-09
    modified2018-12-14
    plugin id119664
    published2018-12-14
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119664
    titleCentOS 7 : NetworkManager (CESA-2018:3665)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1382.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed : - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don
    last seen2020-06-05
    modified2018-11-11
    plugin id118878
    published2018-11-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118878
    titleopenSUSE Security Update : systemd (openSUSE-2018-1382)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3644-1.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: dhcp6: split assert_return() to be more debuggable when hit core: skip unit deserialization and move to the next one when unit_deserialize() fails core: properly handle deserialization of unknown unit types (#6476) core: don
    last seen2020-06-01
    modified2020-06-02
    plugin id120157
    published2019-01-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120157
    titleSUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2018:3644-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0049.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.
    last seen2020-06-01
    modified2020-06-02
    plugin id121173
    published2019-01-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121173
    titleRHEL 7 : systemd (RHSA-2019:0049)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1060.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-22
    plugin id122387
    published2019-02-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122387
    titleEulerOS 2.0 SP2 : systemd (EulerOS-SA-2019-1060)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1227.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.i1/4^CVE-2018-16865i1/4%0 - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-03-19
    modified2019-04-09
    plugin id123913
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123913
    titleEulerOS Virtualization 2.5.3 : systemd (EulerOS-SA-2019-1227)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201810-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201810-10 (systemd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in systemd. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, cause a Denial of Service condition, or gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id118510
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118510
    titleGLSA-201810-10 : systemd: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-7243F31304.NASL
    description - ifcfg: fix crash parsing DNS entries (rh #1607866) - dhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120527
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120527
    titleFedora 28 : 1:NetworkManager (2018-7243f31304)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3806-1.NASL
    descriptionFelix Wilhelm discovered that the systemd-networkd DHCPv6 client incorrectly handled certain DHCPv6 messages. In configurations where systemd-networkd is being used, an attacker on the same network could use this issue to cause systemd-networkd to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118750
    published2018-11-06
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118750
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 : systemd vulnerability (USN-3806-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-71D85BC8CD.NASL
    descriptiondhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120524
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120524
    titleFedora 29 : 1:NetworkManager (2018-71d85bc8cd)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1423.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed : - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don
    last seen2020-06-05
    modified2018-11-19
    plugin id119028
    published2018-11-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119028
    titleopenSUSE Security Update : systemd (openSUSE-2018-1423)

Redhat

advisories
  • bugzilla
    id1639067
    titleCVE-2018-15688 systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentNetworkManager-tui is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665001
          • commentNetworkManager-tui is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315040
        • AND
          • commentNetworkManager-ppp is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665003
          • commentNetworkManager-ppp is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20172299050
        • AND
          • commentNetworkManager-glib is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665005
          • commentNetworkManager-glib is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110930002
        • AND
          • commentNetworkManager-adsl is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665007
          • commentNetworkManager-adsl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315024
        • AND
          • commentNetworkManager-bluetooth is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665009
          • commentNetworkManager-bluetooth is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315028
        • AND
          • commentNetworkManager-wwan is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665011
          • commentNetworkManager-wwan is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315030
        • AND
          • commentNetworkManager-wifi is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665013
          • commentNetworkManager-wifi is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315038
        • AND
          • commentNetworkManager is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665015
          • commentNetworkManager is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110930004
        • AND
          • commentNetworkManager-team is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665017
          • commentNetworkManager-team is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315036
        • AND
          • commentNetworkManager-libnm is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665019
          • commentNetworkManager-libnm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315032
        • AND
          • commentNetworkManager-config-server is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665021
          • commentNetworkManager-config-server is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315050
        • AND
          • commentNetworkManager-dispatcher-routing-rules is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665023
          • commentNetworkManager-dispatcher-routing-rules is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20162581046
        • AND
          • commentNetworkManager-glib-devel is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665025
          • commentNetworkManager-glib-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110930006
        • AND
          • commentNetworkManager-libnm-devel is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665027
          • commentNetworkManager-libnm-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152315048
        • AND
          • commentNetworkManager-ovs is earlier than 1:1.12.0-8.el7_6
            ovaloval:com.redhat.rhsa:tst:20183665029
          • commentNetworkManager-ovs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183665030
    rhsa
    idRHSA-2018:3665
    released2018-11-27
    severityImportant
    titleRHSA-2018:3665: NetworkManager security update (Important)
  • rhsa
    idRHBA-2019:0327
  • rhsa
    idRHSA-2019:0049
rpms
  • NetworkManager-1:1.12.0-8.el7_6
  • NetworkManager-adsl-1:1.12.0-8.el7_6
  • NetworkManager-bluetooth-1:1.12.0-8.el7_6
  • NetworkManager-config-server-1:1.12.0-8.el7_6
  • NetworkManager-debuginfo-1:1.12.0-8.el7_6
  • NetworkManager-dispatcher-routing-rules-1:1.12.0-8.el7_6
  • NetworkManager-glib-1:1.12.0-8.el7_6
  • NetworkManager-glib-devel-1:1.12.0-8.el7_6
  • NetworkManager-libnm-1:1.12.0-8.el7_6
  • NetworkManager-libnm-devel-1:1.12.0-8.el7_6
  • NetworkManager-ovs-1:1.12.0-8.el7_6
  • NetworkManager-ppp-1:1.12.0-8.el7_6
  • NetworkManager-team-1:1.12.0-8.el7_6
  • NetworkManager-tui-1:1.12.0-8.el7_6
  • NetworkManager-wifi-1:1.12.0-8.el7_6
  • NetworkManager-wwan-1:1.12.0-8.el7_6
  • libgudev1-0:219-62.el7_6.2
  • libgudev1-devel-0:219-62.el7_6.2
  • systemd-0:219-62.el7_6.2
  • systemd-debuginfo-0:219-62.el7_6.2
  • systemd-devel-0:219-62.el7_6.2
  • systemd-journal-gateway-0:219-62.el7_6.2
  • systemd-libs-0:219-62.el7_6.2
  • systemd-networkd-0:219-62.el7_6.2
  • systemd-python-0:219-62.el7_6.2
  • systemd-resolved-0:219-62.el7_6.2
  • systemd-sysv-0:219-62.el7_6.2