https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712

https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54

https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb

https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d

https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2

https://www.openwall.com/lists/oss-security/2020/02/05/1

An update of the systemd package has been released.

According to the version of the systemd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - A heap use-after-free vulnerability was found in     systemd, where asynchronous Polkit queries are     performed while handling dbus messages. A local     unprivileged attacker can abuse this flaw to crash     systemd services or potentially execute code and     elevate their privileges, by sending specially crafted     dbus messages.(CVE-2020-1712)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - A heap use-after-free vulnerability was found in     systemd, where asynchronous Polkit queries are     performed while handling dbus messages. A local     unprivileged attacker can abuse this flaw to crash     systemd services or potentially execute code and     elevate their privileges, by sending specially crafted     dbus messages.(CVE-2020-1712)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202003-20 (systemd: Heap use-after-free)

    It was found that systemd incorrectly handled certain Polkit queries.
  Impact :

    A local unprivileged user, by sending a specially crafted Polkit query,       could possibly execute arbitrary code with the privileges of the process,       escalate privileges or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

From Red Hat Security Advisory 2020:0575 :

An update for systemd is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

Security Fix(es) :

* systemd: use-after-free when asynchronous polkit queries are performed (CVE-2020-1712)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* systemd: systemctl reload command breaks ordering dependencies between units (BZ#1781712)

An update for systemd is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

Security Fix(es) :

* systemd: use-after-free when asynchronous polkit queries are performed (CVE-2020-1712)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* systemd: systemctl reload command breaks ordering dependencies between units (BZ#1781712)

An update for systemd is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

Security Fix(es) :

* systemd: use-after-free when asynchronous polkit queries are performed (CVE-2020-1712)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

A few bugfixes and hwdb update.

No need to log out or reboot.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for systemd fixes the following issues :

  - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap     use-after-free vulnerability, when asynchronous Polkit     queries were performed while handling Dbus messages. A     local unprivileged attacker could have abused this flaw     to crash systemd services or potentially execute code     and elevate their privileges, by sending specially     crafted Dbus messages.

  - Use suse.pool.ntp.org server pool on SLE distros     (jsc#SLE-7683)

  - libblkid: open device in nonblock mode. (bsc#1084671)

  - udev/cdrom_id: Do not open CD-rom in exclusive mode.
    (bsc#1154256)

  - bus_open leak sd_event_source when udevadm     trigger&#x3002; (bsc#1161436 CVE-2019-20386)

  - fileio: introduce read_full_virtual_file() for reading     virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)

  - fileio: initialize errno to zero before we do fread()

  - fileio: try to read one byte too much in     read_full_stream()

  - logind: consider 'greeter' sessions suitable as     'display' sessions of a user (bsc#1158485)

  - logind: never elect a session that is stopping as     display

  - journal: include kmsg lines from the systemd process     which exec()d us (#8078)

  - udevd: don't use monitor after manager_exit()

  - udevd: capitalize log messages in on_sigchld()

  - udevd: merge conditions to decrease indentation

  - Revert 'udevd: fix crash when workers time out after     exit is signal caught'

  - core: fragments of masked units ought not be considered     for NeedDaemonReload (#7060) (bsc#1156482)

  - udevd: fix crash when workers time out after exit is     signal caught

  - udevd: wait for workers to finish when exiting     (bsc#1106383)

  - Improve bash completion support (bsc#1155207)

  - shell-completion: systemctl: do not list template units     in (re,)start

  - shell-completion: systemctl: pass current word to all     list_unit*

  - bash-completion: systemctl: pass current partial unit to     list-unit* (bsc#1155207)

  - bash-completion: systemctl: use systemctl --no-pager

  - bash-completion: also suggest template unit files

  - bash-completion: systemctl: add missing options and     verbs

  - bash-completion: use the first argument instead of the     global variable (#6457)

  - networkd: VXLan Make group and remote variable separate     (bsc#1156213)

  - networkd: vxlan require Remote= to be a non multicast     address (#8117) (bsc#1156213)

  - fs-util: let's avoid unnecessary strerror()

  - fs-util: introduce inotify_add_watch_and_warn() helper

  - ask-password: improve log message when inotify limit is     reached (bsc#1155574)

  - shared/install: failing with -ELOOP can be due to the     use of an alias in install_error() (bsc#1151377)

  - man: alias names can't be used with enable command     (bsc#1151377)

  - Add boot option to not use swap at system start     (jsc#SLE-7689)

  - Allow YaST to select Iranian (Persian, Farsi) keyboard     layout (bsc#1092920) This update was imported from the     SUSE:SLE-15:Update update project.

A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.
(CVE-2020-1712)

This update for systemd provides the following fixes :

CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.

sd-bus: Deal with cookie overruns. (bsc#1150595)

rules: Add by-id symlinks for persistent memory. (bsc#1140631)

Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948)

Fix warnings thrown during package installation (bsc#1154043)

Fix for systemctl hanging by restart. (bsc#1139459)

man: mention that alias names are only effective after 'systemctl enable'. (bsc#1151377)

ask-password: improve log message when inotify limit is reached.
(bsc#1155574)

udevd: wait for workers to finish when exiting. (bsc#1106383)

core: fragments of masked units ought not be considered for NeedDaemonReload. (bsc#1156482)

udev: fix 'NULL' deref when executing rules. (bsc#1151506)

Introduce function for reading virtual files in 'sysfs' and 'procfs'.
(bsc#1133495, bsc#1159814)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for systemd fixes the following issues :

CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.

Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)

libblkid: open device in nonblock mode. (bsc#1084671)

udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)

bus_open leak sd_event_source when udevadm trigger&Atilde;&pound;&Acirc;&#128;&Acirc;&#130; (bsc#1161436 CVE-2019-20386)

fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)

fileio: initialize errno to zero before we do fread()

fileio: try to read one byte too much in read_full_stream()

logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)

logind: never elect a session that is stopping as display

journal: include kmsg lines from the systemd process which exec()d us (#8078)

udevd: don't use monitor after manager_exit()

udevd: capitalize log messages in on_sigchld()

udevd: merge conditions to decrease indentation

Revert 'udevd: fix crash when workers time out after exit is signal caught'

core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)

udevd: fix crash when workers time out after exit is signal caught

udevd: wait for workers to finish when exiting (bsc#1106383)

Improve bash completion support (bsc#1155207)

  - shell-completion: systemctl: do not list template units     in {re,}start

  - shell-completion: systemctl: pass current word to all     list_unit*

  - bash-completion: systemctl: pass current partial unit to     list-unit* (bsc#1155207)

  - bash-completion: systemctl: use systemctl --no-pager

  - bash-completion: also suggest template unit files

  - bash-completion: systemctl: add missing options and     verbs

  - bash-completion: use the first argument instead of the     global variable (#6457)

networkd: VXLan Make group and remote variable separate (bsc#1156213)

networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)

fs-util: let's avoid unnecessary strerror()

fs-util: introduce inotify_add_watch_and_warn() helper

ask-password: improve log message when inotify limit is reached (bsc#1155574)

shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)

man: alias names can't be used with enable command (bsc#1151377)

Add boot option to not use swap at system start (jsc#SLE-7689)

Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that systemd incorrectly handled certain PIDFile files. A local attacker could possibly use this issue to trick systemd into killing privileged processes. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-16888)

It was discovered that systemd incorrectly handled certain udevadm trigger commands. A local attacker could possibly use this issue to cause systemd to consume resources, leading to a denial of service.
(CVE-2019-20386)

Jann Horn discovered that systemd incorrectly handled services that use the DynamicUser property. A local attacker could possibly use this issue to access resources owned by a different service in the future.
This issue only affected Ubuntu 18.04 LTS. (CVE-2019-3843, CVE-2019-3844)

Tavis Ormandy discovered that systemd incorrectly handled certain Polkit queries. A local attacker could use this issue to cause systemd to crash, resulting in a denial of service, or possibly execute arbitrary code and escalate privileges. (CVE-2020-1712).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for systemd fixes the following issues :

CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.

Unconfirmed fix for prevent hanging of systemctl during restart.
(bsc#1139459)

Fix warnings thrown during package installation. (bsc#1154043)

Fix for system-udevd prevent crash within OES2018. (bsc#1151506)

Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)

Wait for workers to finish when exiting. (bsc#1106383)

Improve log message when inotify limit is reached. (bsc#1155574)

Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)

Introduce function for reading virtual files in 'sysfs' and 'procfs'.
(bsc#1133495, bsc#1159814)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
137642	Photon OS 1.0: Systemd PHSA-2020-1.0-0301	Nessus	PhotonOS Local Security Checks	medium
136335	Photon OS 2.0: Systemd PHSA-2020-2.0-0235	Nessus	PhotonOS Local Security Checks	medium
136097	Photon OS 3.0: Systemd PHSA-2020-3.0-0083	Nessus	PhotonOS Local Security Checks	medium
135118	EulerOS Virtualization for ARM 64 3.0.6.0 : systemd (EulerOS-SA-2020-1331)	Nessus	Huawei Local Security Checks	medium
134793	EulerOS 2.0 SP8 : systemd (EulerOS-SA-2020-1301)	Nessus	Huawei Local Security Checks	medium
134597	GLSA-202003-20 : systemd: Heap use-after-free	Nessus	Gentoo Local Security Checks	medium
134058	Oracle Linux 8 : systemd (ELSA-2020-0575)	Nessus	Oracle Linux Local Security Checks	medium
134030	RHEL 8 : systemd (RHSA-2020:0575)	Nessus	Red Hat Local Security Checks	high
133942	RHEL 8 : systemd (RHSA-2020:0564)	Nessus	Red Hat Local Security Checks	high
133893	Fedora 30 : systemd (2020-f8e267d6d0)	Nessus	Fedora Local Security Checks	medium
133666	openSUSE Security Update : systemd (openSUSE-2020-208)	Nessus	SuSE Local Security Checks	medium
133552	Amazon Linux 2 : systemd (ALAS-2020-1388)	Nessus	Amazon Linux Local Security Checks	medium
133547	SUSE SLES12 Security Update : systemd (SUSE-SU-2020:0353-1)	Nessus	SuSE Local Security Checks	medium
133540	SUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2020:0335-1)	Nessus	SuSE Local Security Checks	medium
133523	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : systemd vulnerabilities (USN-4269-1)	Nessus	Ubuntu Local Security Checks	medium
133520	SUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2020:0331-1)	Nessus	SuSE Local Security Checks	medium

CVE-2020-1712

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins