Vulnerabilities > CVE-2019-3843 - Improper Privilege Management vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
systemd-project
fedoraproject
canonical
netapp
CWE-269
nessus
exploit available

Summary

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.

Vulnerable Configurations

Part Description Count
Application
Systemd_Project
133
Application
Netapp
3
OS
Fedoraproject
1
OS
Canonical
3
OS
Netapp
1
Hardware
Netapp
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Exploit-Db

idEDB-ID:46760
last seen2019-04-26
modified2019-04-26
published2019-04-26
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46760
titlesystemd - DynamicUser can Create setuid Binaries when Assisted by Another Process

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0024_SYSTEMD.NASL
    descriptionAn update of the systemd package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128160
    published2019-08-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128160
    titlePhoton OS 3.0: Systemd PHSA-2019-3.0-0024
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2019-3.0-0024. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128160);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id("CVE-2019-3843", "CVE-2019-3844", "CVE-2019-6454");
      script_bugtraq_id(107081);
    
      script_name(english:"Photon OS 3.0: Systemd PHSA-2019-3.0-0024");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the systemd package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-0024.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3844");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:systemd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-3.0", reference:"systemd-239-12.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"systemd-debuginfo-239-12.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"systemd-devel-239-12.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", reference:"systemd-lang-239-12.ph3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1661.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow a cooperating process to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the GID will be recycled.(CVE-2019-3844) - It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the UID/GID will be recycled.(CVE-2019-3843) - In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the
    last seen2020-05-03
    modified2019-06-27
    plugin id126288
    published2019-06-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126288
    titleEulerOS 2.0 SP8 : systemd (EulerOS-SA-2019-1661)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126288);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2019-3842",
        "CVE-2019-3843",
        "CVE-2019-3844"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : systemd (EulerOS-SA-2019-1661)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the systemd packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - It was discovered that a systemd service that uses
        DynamicUser property can get new privileges through the
        execution of SUID binaries, which would allow a
        cooperating process to create binaries owned by the
        service transient group with the setgid bit set. A
        local attacker may use this flaw to access resources
        that will be owned by a potentially different service
        in the future when the GID will be
        recycled.(CVE-2019-3844)
    
      - It was discovered that a systemd service that uses
        DynamicUser property can create a SUID/SGID binary that
        would be allowed to run as the transient service
        UID/GID even after the service is terminated. A local
        attacker may use this flaw to access resources that
        will be owned by a potentially different service in the
        future when the UID/GID will be
        recycled.(CVE-2019-3843)
    
      - In systemd before v242-rc4, it was discovered that
        pam_systemd does not properly sanitize the environment
        before using the XDG_SEAT variable. It is possible for
        an attacker, in some particular configurations, to set
        a XDG_SEAT environment variable which allows for
        commands to be checked against polkit policies using
        the 'allow_active' element rather than
        'allow_any'.(CVE-2019-3842)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1661
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?edc44c28");
      script_set_attribute(attribute:"solution", value:
    "Update the affected systemd packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/06/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-container");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-journal-remote");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-pam");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-udev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-udev-compat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["systemd-239-3.h24.eulerosv2r8",
            "systemd-container-239-3.h24.eulerosv2r8",
            "systemd-devel-239-3.h24.eulerosv2r8",
            "systemd-journal-remote-239-3.h24.eulerosv2r8",
            "systemd-libs-239-3.h24.eulerosv2r8",
            "systemd-pam-239-3.h24.eulerosv2r8",
            "systemd-udev-239-3.h24.eulerosv2r8",
            "systemd-udev-compat-239-3.h24.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1794.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1794 advisory. - systemd: services with DynamicUser can create SUID/SGID binaries (CVE-2019-3843) - systemd: services with DynamicUser can get new privileges and create SGID binaries (CVE-2019-3844) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-28
    plugin id136046
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136046
    titleRHEL 8 : systemd (RHSA-2020:1794)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1794. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136046);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29");
    
      script_cve_id("CVE-2019-3843", "CVE-2019-3844");
      script_bugtraq_id(108096, 108116);
      script_xref(name:"RHSA", value:"2020:1794");
    
      script_name(english:"RHEL 8 : systemd (RHSA-2020:1794)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1794 advisory.
    
      - systemd: services with DynamicUser can create SUID/SGID
        binaries (CVE-2019-3843)
    
      - systemd: services with DynamicUser can get new
        privileges and create SGID binaries (CVE-2019-3844)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/266.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/268.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1794");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-3843");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-3844");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1684607");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1684610");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3844");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(266, 268);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8::baseos");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-container");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-journal-remote");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-pam");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-tests");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:systemd-udev");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'systemd-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-239-29.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'systemd-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-container-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-container-239-29.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'systemd-container-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-container-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-debugsource-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-debugsource-239-29.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'systemd-debugsource-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-debugsource-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-devel-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-devel-239-29.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'systemd-devel-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-devel-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-journal-remote-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-journal-remote-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-journal-remote-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-libs-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-libs-239-29.el8', 'cpu':'i686', 'release':'8'},
        {'reference':'systemd-libs-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-libs-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-pam-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-pam-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-pam-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-tests-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-tests-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-tests-239-29.el8', 'cpu':'x86_64', 'release':'8'},
        {'reference':'systemd-udev-239-29.el8', 'cpu':'aarch64', 'release':'8'},
        {'reference':'systemd-udev-239-29.el8', 'cpu':'s390x', 'release':'8'},
        {'reference':'systemd-udev-239-29.el8', 'cpu':'x86_64', 'release':'8'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'systemd / systemd-container / systemd-debugsource / etc');
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1364-1.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: logind: fix killing of scopes (bsc#1125604) namespace: make MountFlags=shared work again (bsc#1124122) rules: load drivers only on
    last seen2020-06-01
    modified2020-06-02
    plugin id125537
    published2019-05-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125537
    titleSUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2019:1364-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:1364-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125537);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/15");
    
      script_cve_id("CVE-2019-3842", "CVE-2019-3843", "CVE-2019-3844", "CVE-2019-6454");
    
      script_name(english:"SUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2019:1364-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for systemd fixes the following issues :
    
    Security issues fixed :
    
    CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could
    be exploited by a local user (bsc#1132348).
    
    CVE-2019-6454: Fixed a denial of service via crafted D-Bus message
    (bsc#1125352).
    
    CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where
    services with DynamicUser could gain new privileges or create
    SUID/SGID binaries (bsc#1133506, bsc#1133509).
    
    Non-security issued fixed: logind: fix killing of scopes (bsc#1125604)
    
    namespace: make MountFlags=shared work again (bsc#1124122)
    
    rules: load drivers only on 'add' events (bsc#1126056)
    
    sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
    
    systemd-coredump: generate a stack trace of all core dumps and log
    into the journal (jsc#SLE-5933)
    
    udevd: notify when max number value of children is reached only once
    per batch of events (bsc#1132400)
    
    sd-bus: bump message queue size again (bsc#1132721)
    
    Do not automatically online memory on s390x (bsc#1127557)
    
    Removed sg.conf (bsc#1036463)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1036463"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1121563"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1124122"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1125352"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1125604"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126056"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1127557"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1130230"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1132348"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1132400"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1132721"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1133506"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1133509"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-3842/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-3843/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-3844/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-6454/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20191364-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9d71e703"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15:zypper in -t patch
    SUSE-SLE-Module-Development-Tools-OBS-15-2019-1364=1
    
    SUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch
    SUSE-SLE-Module-Basesystem-15-2019-1364=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3844");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsystemd0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsystemd0-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsystemd0-32bit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsystemd0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsystemd0-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsystemd0-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev-mini-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev-mini1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev-mini1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev1-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev1-32bit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libudev1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nss-myhostname");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nss-myhostname-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nss-mymachines");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nss-mymachines-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nss-systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nss-systemd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-32bit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-container");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-container-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-coredump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-coredump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-logger");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-container-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-container-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-coredump-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-coredump-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-mini-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:systemd-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:udev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:udev-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:udev-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:udev-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/29");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp);
    if (os_ver == "SLED15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"libsystemd0-32bit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"libsystemd0-32bit-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"libudev1-32bit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"libudev1-32bit-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"systemd-32bit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"systemd-32bit-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libsystemd0-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libsystemd0-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libudev-mini-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libudev-mini1-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libudev-mini1-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"nss-myhostname-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"nss-myhostname-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"nss-mymachines-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"nss-mymachines-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"nss-systemd-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"nss-systemd-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-debugsource-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-logger-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-container-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-container-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-coredump-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-coredump-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-debugsource-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-mini-sysvinit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"udev-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"udev-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libsystemd0-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libsystemd0-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libudev-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libudev1-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"libudev1-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-container-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-container-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-coredump-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-coredump-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-debugsource-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"systemd-sysvinit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"udev-234-24.30.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"udev-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"libsystemd0-32bit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"libsystemd0-32bit-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"libudev1-32bit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"libudev1-32bit-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"systemd-32bit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"systemd-32bit-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libsystemd0-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libsystemd0-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libudev-mini-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libudev-mini1-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libudev-mini1-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"nss-myhostname-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"nss-myhostname-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"nss-mymachines-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"nss-mymachines-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"nss-systemd-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"nss-systemd-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-debugsource-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-logger-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-container-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-container-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-coredump-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-coredump-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-debugsource-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-mini-sysvinit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"udev-mini-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"udev-mini-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libsystemd0-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libsystemd0-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libudev-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libudev1-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"libudev1-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-container-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-container-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-coredump-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-coredump-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-debuginfo-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-debugsource-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-devel-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"systemd-sysvinit-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"udev-234-24.30.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"udev-debuginfo-234-24.30.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4269-1.NASL
    descriptionIt was discovered that systemd incorrectly handled certain PIDFile files. A local attacker could possibly use this issue to trick systemd into killing privileged processes. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-16888) It was discovered that systemd incorrectly handled certain udevadm trigger commands. A local attacker could possibly use this issue to cause systemd to consume resources, leading to a denial of service. (CVE-2019-20386) Jann Horn discovered that systemd incorrectly handled services that use the DynamicUser property. A local attacker could possibly use this issue to access resources owned by a different service in the future. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-3843, CVE-2019-3844) Tavis Ormandy discovered that systemd incorrectly handled certain Polkit queries. A local attacker could use this issue to cause systemd to crash, resulting in a denial of service, or possibly execute arbitrary code and escalate privileges. (CVE-2020-1712). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133523
    published2020-02-06
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133523
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : systemd vulnerabilities (USN-4269-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4269-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133523);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/10");
    
      script_cve_id("CVE-2018-16888", "CVE-2019-20386", "CVE-2019-3843", "CVE-2019-3844", "CVE-2020-1712");
      script_xref(name:"USN", value:"4269-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : systemd vulnerabilities (USN-4269-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that systemd incorrectly handled certain PIDFile
    files. A local attacker could possibly use this issue to trick systemd
    into killing privileged processes. This issue only affected Ubuntu
    16.04 LTS. (CVE-2018-16888)
    
    It was discovered that systemd incorrectly handled certain udevadm
    trigger commands. A local attacker could possibly use this issue to
    cause systemd to consume resources, leading to a denial of service.
    (CVE-2019-20386)
    
    Jann Horn discovered that systemd incorrectly handled services that
    use the DynamicUser property. A local attacker could possibly use this
    issue to access resources owned by a different service in the future.
    This issue only affected Ubuntu 18.04 LTS. (CVE-2019-3843,
    CVE-2019-3844)
    
    Tavis Ormandy discovered that systemd incorrectly handled certain
    Polkit queries. A local attacker could use this issue to cause systemd
    to crash, resulting in a denial of service, or possibly execute
    arbitrary code and escalate privileges. (CVE-2020-1712).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4269-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected systemd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:systemd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"systemd", pkgver:"229-4ubuntu21.27")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"systemd", pkgver:"237-3ubuntu10.38")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"systemd", pkgver:"242-7ubuntu3.6")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2319.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.(CVE-2019-3843) - It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.(CVE-2019-3844) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131484
    published2019-12-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131484
    titleEulerOS Virtualization for ARM 64 3.0.3.0 : systemd (EulerOS-SA-2019-2319)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131484);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/10");
    
      script_cve_id(
        "CVE-2019-3843",
        "CVE-2019-3844"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.3.0 : systemd (EulerOS-SA-2019-2319)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the systemd packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - It was discovered that a systemd service that uses
        DynamicUser property can create a SUID/SGID binary that
        would be allowed to run as the transient service
        UID/GID even after the service is terminated. A local
        attacker may use this flaw to access resources that
        will be owned by a potentially different service in the
        future, when the UID/GID will be
        recycled.(CVE-2019-3843)
    
      - It was discovered that a systemd service that uses
        DynamicUser property can get new privileges through the
        execution of SUID binaries, which would allow to create
        binaries owned by the service transient group with the
        setgid bit set. A local attacker may use this flaw to
        access resources that will be owned by a potentially
        different service in the future, when the GID will be
        recycled.(CVE-2019-3844)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2319
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3efa94e4");
      script_set_attribute(attribute:"solution", value:
    "Update the affected systemd packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/03");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-container");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-journal-remote");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-pam");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-udev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:systemd-udev-compat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.3.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.3.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.3.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["systemd-239-3.h56.eulerosv2r8",
            "systemd-container-239-3.h56.eulerosv2r8",
            "systemd-devel-239-3.h56.eulerosv2r8",
            "systemd-journal-remote-239-3.h56.eulerosv2r8",
            "systemd-libs-239-3.h56.eulerosv2r8",
            "systemd-pam-239-3.h56.eulerosv2r8",
            "systemd-udev-239-3.h56.eulerosv2r8",
            "systemd-udev-compat-239-3.h56.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-7322053E74.NASL
    description - Fix hang in flush_accept (#1702358) - Fix handling of RUN keys in udevd - Some documentation and minor logging fixes - Backport the addition of RestrictSUIDSGID= from systemd-242 and enable RestrictSUIDSGID=yes for systemd services which use DynamicUser=yes (#1703356, CVE-2019-3843). The defaults in v242 were changed to enable RestrictSUIDSGID=yes if DynamicUser=yes is specified, but this backport doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id124504
    published2019-05-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124504
    titleFedora 30 : systemd (2019-7322053e74)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-7322053e74.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124504);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/23 11:21:10");
    
      script_cve_id("CVE-2019-3843");
      script_xref(name:"FEDORA", value:"2019-7322053e74");
    
      script_name(english:"Fedora 30 : systemd (2019-7322053e74)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Fix hang in flush_accept (#1702358)
    
      - Fix handling of RUN keys in udevd
    
      - Some documentation and minor logging fixes
    
      - Backport the addition of RestrictSUIDSGID= from
        systemd-242 and enable RestrictSUIDSGID=yes for systemd
        services which use DynamicUser=yes (#1703356,
        CVE-2019-3843). The defaults in v242 were changed to
        enable RestrictSUIDSGID=yes if DynamicUser=yes is
        specified, but this backport doesn't do this and
        RestrictSUIDSGID=yes has to be requested explicitly.
        Maintainers of other services packages for Fedora should
        consider doing this.
    
    No need to log out or reboot.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7322053e74"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected systemd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:systemd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC30", reference:"systemd-241-8.git9ef65cb.fc30")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemd");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1364-2.NASL
    descriptionThis update for systemd fixes the following issues : Security issues fixed : CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: logind: fix killing of scopes (bsc#1125604) namespace: make MountFlags=shared work again (bsc#1124122) rules: load drivers only on
    last seen2020-06-01
    modified2020-06-02
    plugin id126736
    published2019-07-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126736
    titleSUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2019:1364-2)

Redhat

rpms
  • systemd-0:239-29.el8
  • systemd-container-0:239-29.el8
  • systemd-container-debuginfo-0:239-29.el8
  • systemd-debuginfo-0:239-29.el8
  • systemd-debugsource-0:239-29.el8
  • systemd-devel-0:239-29.el8
  • systemd-journal-remote-0:239-29.el8
  • systemd-journal-remote-debuginfo-0:239-29.el8
  • systemd-libs-0:239-29.el8
  • systemd-libs-debuginfo-0:239-29.el8
  • systemd-pam-0:239-29.el8
  • systemd-pam-debuginfo-0:239-29.el8
  • systemd-tests-0:239-29.el8
  • systemd-tests-debuginfo-0:239-29.el8
  • systemd-udev-0:239-29.el8
  • systemd-udev-debuginfo-0:239-29.el8