Vulnerability CVE-2019-3844


Published: 2019-04-26

Description:
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
systemd DynamicUser SetUID Binary Creation
Jann Horn
26.04.2019

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

Vendor: Freedesktop
Product: Systemd 
Version:
9
8
7
6
5
44
43
42
41
40
4
39
38
37
36
35
34
33
32
31
30
3
29
28
27
26
25
241
240
24
239
238
237
236
235
234
233
232
231
230
23
229
228
227
226
225
224
223
222
221
220
22
219
218
217
216
215
214
213
212
211
210
21
209
208
207
206
205
204
203
202
201
200
20
2
199
198
197
196
195
194
193
192
191
190
19
189
188
187
186
185
184
183
182
181
180
18
179
178
177
See more versions on NVD

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securityfocus.com/bid/108096
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844
https://security.netapp.com/advisory/ntap-20190619-0002/

Related CVE
CVE-2018-21009
Poppler before 0.76.0 has an integer overflow in Parser::makeStream in Parser.cc.
CVE-2019-15718
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivile...
CVE-2019-14494
An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.
CVE-2019-9959
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attac...
CVE-2019-12293
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
CVE-2018-20839
systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mo...
CVE-2019-3843
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access res...
CVE-2019-11026
FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc.

Copyright 2019, cxsecurity.com

 

Back to Top