Vulnerabilities > CVE-2018-16865

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.

Vulnerable Configurations

Part Description Count
Application
Systemd_Project
130
Application
Oracle
5
OS
Redhat
9
OS
Debian
2
OS
Canonical
3

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0204.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Qualys Research Labs for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id121454
    published2019-01-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121454
    titleRHEL 7 : systemd (RHSA-2019:0204)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:0204. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121454);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/24 15:35:46");
    
      script_cve_id("CVE-2018-16864", "CVE-2018-16865");
      script_xref(name:"RHSA", value:"2019:0204");
    
      script_name(english:"RHEL 7 : systemd (RHSA-2019:0204)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for systemd is now available for Red Hat Enterprise Linux
    7.5 Extended Update Support.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The systemd packages contain systemd, a system and service manager for
    Linux, compatible with the SysV and LSB init scripts. It provides
    aggressive parallelism capabilities, uses socket and D-Bus activation
    for starting services, offers on-demand starting of daemons, and keeps
    track of processes using Linux cgroups. In addition, it supports
    snapshotting and restoring of the system state, maintains mount and
    automount points, and implements an elaborate transactional
    dependency-based service control logic. It can also work as a drop-in
    replacement for sysvinit.
    
    Security Fix(es) :
    
    * systemd: stack overflow when calling syslog from a command with long
    cmdline (CVE-2018-16864)
    
    * systemd: stack overflow when receiving many journald entries
    (CVE-2018-16865)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Qualys Research Labs for reporting these
    issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:0204"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-16864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-16865"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libgudev1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libgudev1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-journal-gateway");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-networkd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-resolved");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-sysv");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7\.5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.5", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:0204";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"libgudev1-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"libgudev1-devel-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"systemd-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"systemd-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"systemd-debuginfo-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"systemd-devel-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"systemd-journal-gateway-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"systemd-journal-gateway-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"systemd-libs-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"systemd-networkd-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"systemd-networkd-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"systemd-python-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"systemd-python-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"systemd-resolved-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"systemd-sysv-219-57.el7_5.5")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"systemd-sysv-219-57.el7_5.5")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libgudev1 / libgudev1-devel / systemd / systemd-debuginfo / etc");
      }
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190114_SYSTEMD_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865)
    last seen2020-03-18
    modified2019-01-16
    plugin id121204
    published2019-01-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121204
    titleScientific Linux Security Update : systemd on SL7.x x86_64 (20190114)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121204);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");
    
      script_cve_id("CVE-2018-15688", "CVE-2018-16864", "CVE-2018-16865");
    
      script_name(english:"Scientific Linux Security Update : systemd on SL7.x x86_64 (20190114)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - systemd: Out-of-bounds heap write in systemd-networkd
        dhcpv6 option handling (CVE-2018-15688)
    
      - systemd: stack overflow when calling syslog from a
        command with long cmdline (CVE-2018-16864)
    
      - systemd: stack overflow when receiving many journald
        entries (CVE-2018-16865)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1901&L=SCIENTIFIC-LINUX-ERRATA&P=1419
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d4495fb7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libgudev1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libgudev1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-journal-gateway");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-networkd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-resolved");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:systemd-sysv");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/16");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libgudev1-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libgudev1-devel-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-debuginfo-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-devel-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-journal-gateway-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-libs-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-networkd-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-python-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-resolved-219-62.el7_6.2")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"systemd-sysv-219-62.el7_6.2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libgudev1 / libgudev1-devel / systemd / systemd-debuginfo / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4367.NASL
    descriptionThe Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled allocations using the alloca function (CVE-2018-16864, CVE-2018-16865 ) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866 ), could allow an attacker to cause a denial of service or the execution of arbitrary code. Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt
    last seen2020-06-01
    modified2020-06-02
    plugin id121136
    published2019-01-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121136
    titleDebian DSA-4367-1 : systemd - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4367. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121136);
      script_version("1.4");
      script_cvs_date("Date: 2019/05/17  9:44:17");
    
      script_cve_id("CVE-2018-16864", "CVE-2018-16865", "CVE-2018-16866");
      script_xref(name:"DSA", value:"4367");
    
      script_name(english:"Debian DSA-4367-1 : systemd - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The Qualys Research Labs discovered multiple vulnerabilities in
    systemd-journald. Two memory corruption flaws, via attacker-controlled
    allocations using the alloca function (CVE-2018-16864, CVE-2018-16865
    ) and an out-of-bounds read flaw leading to an information leak
    (CVE-2018-16866 ), could allow an attacker to cause a denial of
    service or the execution of arbitrary code.
    
    Further details in the Qualys Security Advisory at
    https://www.qualys.com/2019/01/09/system-down/system-down.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918841"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-16864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-16865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-16866"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.qualys.com/2019/01/09/system-down/system-down.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/systemd"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/systemd"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4367"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the systemd packages.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 232-25+deb9u7."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"libnss-myhostname", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libnss-mymachines", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libnss-resolve", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libnss-systemd", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libpam-systemd", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libsystemd-dev", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libsystemd0", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libudev-dev", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libudev1", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"libudev1-udeb", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"systemd", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"systemd-container", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"systemd-coredump", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"systemd-journal-remote", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"systemd-sysv", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"udev", reference:"232-25+deb9u7")) flag++;
    if (deb_check(release:"9.0", prefix:"udev-udeb", reference:"232-25+deb9u7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1416.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges.(CVE-2018-16864) - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.(CVE-2018-16865) - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id124919
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124919
    titleEulerOS Virtualization 3.0.1.0 : systemd (EulerOS-SA-2019-1416)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0135-1.NASL
    descriptionThis update for systemd provides the following fixes : Security issues fixed : CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: core: Queue loading transient units after setting their properties. (bsc#1115518) logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) terminal-util: introduce vt_release() and vt_restore() helpers. terminal: Unify code for resetting kbd utf8 mode a bit. terminal Reset should honour default_utf8 kernel setting. logind: Make session_restore_vt() static. udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id121303
    published2019-01-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121303
    titleSUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2019:0135-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1233.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.i1/4^CVE-2018-16865i1/4%0 - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-03-19
    modified2019-04-04
    plugin id123701
    published2019-04-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123701
    titleEulerOS Virtualization 2.5.4 : systemd (EulerOS-SA-2019-1233)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1045.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) - systemd: Assertion failure when PID 1 receives a zero-length message over notify socket(CVE-2016-7795) - systemd: Unsafe handling of hard links allowing privilege escalation(CVE-2017-18078) - systemd: Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new(CVE-2017-9445) - systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-15
    plugin id122218
    published2019-02-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122218
    titleEulerOS 2.0 SP5 : systemd (EulerOS-SA-2019-1045)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0205_SYSTEMD.NASL
    descriptionAn update of the systemd package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id122905
    published2019-03-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122905
    titlePhoton OS 1.0: Systemd PHSA-2019-1.0-0205
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0137-1.NASL
    descriptionThis update for systemd provides the following fixes : Security issues fixed : CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: pam_systemd: Fix
    last seen2020-06-01
    modified2020-06-02
    plugin id121304
    published2019-01-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121304
    titleSUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2019:0137-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1160.NASL
    descriptionAn allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate privileges.(CVE-2018-16864) It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id122161
    published2019-02-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122161
    titleAmazon Linux 2 : systemd (ALAS-2019-1160)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-0049.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.
    last seen2020-06-01
    modified2020-06-02
    plugin id121192
    published2019-01-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121192
    titleCentOS 7 : systemd (CESA-2019:0049)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-98.NASL
    descriptionThis update for systemd provides the following fixes : Security issues fixed : - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed : - pam_systemd: Fix
    last seen2020-06-01
    modified2020-06-02
    plugin id121464
    published2019-01-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121464
    titleopenSUSE Security Update : systemd (openSUSE-2019-98)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1107.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) - systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-03-26
    plugin id123120
    published2019-03-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123120
    titleEulerOS 2.0 SP3 : systemd (EulerOS-SA-2019-1107)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0271.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Qualys Research Labs for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id121587
    published2019-02-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121587
    titleRHEL 7 : systemd (RHSA-2019:0271)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2402.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.3 Telco Extended Update Support, and Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127719
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127719
    titleRHEL 7 : systemd (RHSA-2019:2402)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0054-1.NASL
    descriptionThis update for systemd fixes the following issues : Fix security vulnerabilities CVE-2018-16864 and CVE-2018-16865 (bsc#1120323): Both issues were memory corruptions via attacker-controlled alloca which could have been used to gain root privileges by a local attacker. Fix security vulnerability CVE-2018-15686 (bsc#1113665): A vulnerability in unit_deserialize of systemd used to allow an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This could have been used to improperly influence systemd execution and possibly lead to root privilege escalation. Remedy 2048 character line-length limit in systemd-sysctl code that would cause parser failures if /etc/sysctl.conf contained lines that exceeded this length (bsc#1071558). Fix a bug in systemd
    last seen2020-06-01
    modified2020-06-02
    plugin id121061
    published2019-01-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121061
    titleSUSE SLES12 Security Update : systemd (SUSE-SU-2019:0054-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-0049.NASL
    descriptionFrom Red Hat Security Advisory 2019:0049 : An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.
    last seen2020-06-01
    modified2020-06-02
    plugin id121172
    published2019-01-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121172
    titleOracle Linux 7 : systemd (ELSA-2019-0049)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0053-1.NASL
    descriptionThis update for systemd fixes the following issues : Fix security vulnerabilities CVE-2018-16864 and CVE-2018-16865 (bsc#1120323): Both issues were memory corruptions via attacker-controlled alloca which could have been used to gain root privileges by a local attacker. Fix security vulnerability CVE-2018-15686 (bsc#1113665): A vulnerability in unit_deserialize of systemd used to allow an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This could have been used to improperly influence systemd execution and possibly lead to root privilege escalation. Remedy 2048 character line-length limit in systemd-sysctl code that would cause parser failures if /etc/sysctl.conf contained lines that exceeded this length (bsc#1071558). Fix a bug in systemd
    last seen2020-06-01
    modified2020-06-02
    plugin id121060
    published2019-01-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121060
    titleSUSE SLES12 Security Update : systemd (SUSE-SU-2019:0053-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1412.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.(CVE-2018-16864) - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.(CVE-2018-16865) - An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).(CVE-2019-6454) - A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service.(CVE-2018-1049) - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id124915
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124915
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : systemd (EulerOS-SA-2019-1412)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-97.NASL
    descriptionThis update for systemd provides the following fixes : Security issues fixed : - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed : - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id121463
    published2019-01-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121463
    titleopenSUSE Security Update : systemd (openSUSE-2019-97)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1639.NASL
    descriptionMultiple vulnerabilities were found in the journald component of systemd which can lead to a crash or code execution. CVE-2018-16864 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. CVE-2018-16865 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id121316
    published2019-01-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121316
    titleDebian DLA-1639-1 : systemd security update
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0051_SYSTEMD.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has systemd packages installed that are affected by multiple vulnerabilities: - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id127236
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127236
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : systemd Multiple Vulnerabilities (NS-SA-2019-0051)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201903-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201903-07 (systemd: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in systemd. Please review the CVE identifiers referenced below for details. Impact : An attacker could cause a Denial of Service condition or possibly execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id122735
    published2019-03-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122735
    titleGLSA-201903-07 : systemd: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3855-1.NASL
    descriptionIt was discovered that systemd-journald allocated variable-length buffers for certain message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2018-16864) It was discovered that systemd-journald allocated variable-length arrays of objects representing message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2018-16865) An out-of-bounds read was discovered in systemd-journald. A local attacker could potentially exploit this to obtain sensitive information and bypass ASLR protections. (CVE-2018-16866). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id121161
    published2019-01-14
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121161
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 : systemd vulnerabilities (USN-3855-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0361.NASL
    descriptionAn update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. Security Fix(es) : * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id122331
    published2019-02-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122331
    titleRHEL 7 : Virtualization Manager (RHSA-2019:0361)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-18B3A10C7F.NASL
    description - systemd-journald and systemd-journal-remote reject entries which contain too many fields (CVE-2018-16865, #1664973) and set limits on the process
    last seen2020-06-01
    modified2020-06-02
    plugin id121138
    published2019-01-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121138
    titleFedora 29 : systemd (2019-18b3a10c7f)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0049.NASL
    descriptionAn update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.
    last seen2020-06-01
    modified2020-06-02
    plugin id121173
    published2019-01-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121173
    titleRHEL 7 : systemd (RHSA-2019:0049)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1060.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-22
    plugin id122387
    published2019-02-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122387
    titleEulerOS 2.0 SP2 : systemd (EulerOS-SA-2019-1060)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1227.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.i1/4^CVE-2018-16865i1/4%0 - It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim
    last seen2020-03-19
    modified2019-04-09
    plugin id123913
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123913
    titleEulerOS Virtualization 2.5.3 : systemd (EulerOS-SA-2019-1227)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-0342.NASL
    descriptionAn update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host
    last seen2020-06-01
    modified2020-06-02
    plugin id122329
    published2019-02-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122329
    titleRHEL 7 : Virtualization Manager (RHSA-2019:0342)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL06044762.NASL
    descriptionCVE-2018-16864 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable. CVE-2018-16865 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable. Impact A locally authenticated attacker may be able to use the flaw to stop systemd-journald from responding or escalate user privileges.
    last seen2020-03-30
    modified2020-03-26
    plugin id134918
    published2020-03-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134918
    titleF5 Networks BIG-IP : systemd vulnerabilities (K06044762)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1141.NASL
    descriptionLarge syslogd messages sent to journald can cause stack corruption, causing journald to crash. The version of systemd on Amazon Linux 2 is not vulnerable to privilege escalation in this case. (CVE-2018-16864) Large native messages to journald can cause stack corruption, leading to possible local privilege escalation.(CVE-2018-16865) Please note, if you have systemd-journald-remote configured over http, then you could be open to remote escalation on previous versions of the systemd package. The systemd-journald-remote service is not installed by default on Amazon Linux 2, and when installed and enabled, the default configuration is to use https. (CVE-2018-16865) An out-of-bounds read in journald, triggered by a specially crafted message, can be used to leak information through the journal file (CVE-2018-16866)
    last seen2020-06-01
    modified2020-06-02
    plugin id121050
    published2019-01-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121050
    titleAmazon Linux 2 : systemd (ALAS-2019-1141)

Redhat

advisories
  • bugzilla
    id1653861
    titleCVE-2018-16865 systemd: stack overflow when receiving many journald entries
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentsystemd-resolved is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049001
          • commentsystemd-resolved is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092002
        • AND
          • commentsystemd-networkd is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049003
          • commentsystemd-networkd is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092004
        • AND
          • commentlibgudev1-devel is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049005
          • commentlibgudev1-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092018
        • AND
          • commentsystemd-devel is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049007
          • commentsystemd-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092020
        • AND
          • commentsystemd-journal-gateway is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049009
          • commentsystemd-journal-gateway is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092006
        • AND
          • commentsystemd is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049011
          • commentsystemd is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092014
        • AND
          • commentsystemd-libs is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049013
          • commentsystemd-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092016
        • AND
          • commentlibgudev1 is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049015
          • commentlibgudev1 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092010
        • AND
          • commentsystemd-sysv is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049017
          • commentsystemd-sysv is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092008
        • AND
          • commentsystemd-python is earlier than 0:219-62.el7_6.2
            ovaloval:com.redhat.rhsa:tst:20190049019
          • commentsystemd-python is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20152092012
    rhsa
    idRHSA-2019:0049
    released2019-01-14
    severityImportant
    titleRHSA-2019:0049: systemd security update (Important)
  • rhsa
    idRHBA-2019:0327
  • rhsa
    idRHSA-2019:0204
  • rhsa
    idRHSA-2019:0271
  • rhsa
    idRHSA-2019:0342
  • rhsa
    idRHSA-2019:0361
  • rhsa
    idRHSA-2019:2402
rpms
  • libgudev1-0:219-62.el7_6.2
  • libgudev1-devel-0:219-62.el7_6.2
  • systemd-0:219-62.el7_6.2
  • systemd-debuginfo-0:219-62.el7_6.2
  • systemd-devel-0:219-62.el7_6.2
  • systemd-journal-gateway-0:219-62.el7_6.2
  • systemd-libs-0:219-62.el7_6.2
  • systemd-networkd-0:219-62.el7_6.2
  • systemd-python-0:219-62.el7_6.2
  • systemd-resolved-0:219-62.el7_6.2
  • systemd-sysv-0:219-62.el7_6.2
  • libgudev1-0:219-57.el7_5.5
  • libgudev1-devel-0:219-57.el7_5.5
  • systemd-0:219-57.el7_5.5
  • systemd-debuginfo-0:219-57.el7_5.5
  • systemd-devel-0:219-57.el7_5.5
  • systemd-journal-gateway-0:219-57.el7_5.5
  • systemd-libs-0:219-57.el7_5.5
  • systemd-networkd-0:219-57.el7_5.5
  • systemd-python-0:219-57.el7_5.5
  • systemd-resolved-0:219-57.el7_5.5
  • systemd-sysv-0:219-57.el7_5.5
  • libgudev1-0:219-42.el7_4.13
  • libgudev1-devel-0:219-42.el7_4.13
  • systemd-0:219-42.el7_4.13
  • systemd-debuginfo-0:219-42.el7_4.13
  • systemd-devel-0:219-42.el7_4.13
  • systemd-journal-gateway-0:219-42.el7_4.13
  • systemd-libs-0:219-42.el7_4.13
  • systemd-networkd-0:219-42.el7_4.13
  • systemd-python-0:219-42.el7_4.13
  • systemd-resolved-0:219-42.el7_4.13
  • systemd-sysv-0:219-42.el7_4.13
  • redhat-release-virtualization-host-0:4.2-8.1.el7
  • redhat-virtualization-host-image-update-0:4.2-20190129.0.el7_6
  • redhat-virtualization-host-image-update-placeholder-0:4.2-8.1.el7
  • rhvm-appliance-2:4.2-20190129.0.el7
  • libgudev1-0:219-30.el7_3.13
  • libgudev1-devel-0:219-30.el7_3.13
  • systemd-0:219-30.el7_3.13
  • systemd-debuginfo-0:219-30.el7_3.13
  • systemd-devel-0:219-30.el7_3.13
  • systemd-journal-gateway-0:219-30.el7_3.13
  • systemd-libs-0:219-30.el7_3.13
  • systemd-networkd-0:219-30.el7_3.13
  • systemd-python-0:219-30.el7_3.13
  • systemd-resolved-0:219-30.el7_3.13
  • systemd-sysv-0:219-30.el7_3.13

The Hacker News

idTHN:68B5B8B7434409E6670CCBAC8FDD8ABE
last seen2019-01-10
modified2019-01-10
published2019-01-10
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/01/linux-systemd-exploit.html
titleNew Systemd Privilege Escalation Flaws Affect Most Linux Distributions

References