Amazon Linux 2 : systemd (ALAS-2021-1643) (deprecated)

critical Nessus Plugin ID 149869
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

This plugin has been deprecated.

Description

The version of systemd installed on the remote host is prior to 219-78. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1643 advisory.

- A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
(CVE-2018-15686)

- An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable. (CVE-2018-16864)

- An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable. (CVE-2018-16866)

- It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.
(CVE-2018-16888)

- An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)

- A memory leak was discovered in the backport of fixes for CVE-2018-16864 in Red Hat Enterprise Linux.
Function dispatch_message_real() in journald-server.c does not free the memory allocated by set_iovec_field_free() to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd- journald crash. This issue only affects versions shipped with Red Hat Enterprise since v219-62.2.
(CVE-2019-3815)

- An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic). (CVE-2019-6454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2021-1643.html

https://access.redhat.com/security/cve/CVE-2018-15686

https://access.redhat.com/security/cve/CVE-2018-16866

https://access.redhat.com/security/cve/CVE-2018-16888

https://access.redhat.com/security/cve/CVE-2019-20386

https://access.redhat.com/security/cve/CVE-2019-3815

https://access.redhat.com/security/cve/CVE-2019-6454

Plugin Details

Severity: Critical

ID: 149869

File Name: al2_ALAS-2021-1643.nasl

Version: 1.5

Type: local

Agent: unix

Published: 5/24/2021

Updated: 6/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2018-15686

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:libgudev1, p-cpe:/a:amazon:linux:libgudev1-devel, p-cpe:/a:amazon:linux:systemd, p-cpe:/a:amazon:linux:systemd-debuginfo, p-cpe:/a:amazon:linux:systemd-devel, p-cpe:/a:amazon:linux:systemd-journal-gateway, p-cpe:/a:amazon:linux:systemd-libs, p-cpe:/a:amazon:linux:systemd-networkd, p-cpe:/a:amazon:linux:systemd-python, p-cpe:/a:amazon:linux:systemd-resolved, p-cpe:/a:amazon:linux:systemd-sysv, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/20/2021

Vulnerability Publication Date: 10/26/2018

Reference Information

CVE: CVE-2018-15686, CVE-2018-16864, CVE-2018-16866, CVE-2018-16888, CVE-2019-3815, CVE-2019-6454, CVE-2019-20386

ALAS: 2021-1643