ID CVE-2018-1049
Summary In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.
References
Vulnerable Configurations
  • Freedesktop systemd 233
    cpe:2.3:a:freedesktop:systemd:233
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • cpe:2.3:o:redhat:enterprise_linux_server:7.4
    cpe:2.3:o:redhat:enterprise_linux_server:7.4
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180131_SYSTEMD_ON_SL7_X.NASL
    description Security Fix(es) : - A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. (CVE-2018-1049)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 106554
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106554
    title Scientific Linux Security Update : systemd on SL7.x x86_64
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0076.NASL
    description An update of 'vim', 'blktrace', 'systemd' packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111960
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111960
    title Photon OS 2.0: Blktrace / Systemd / Vim PHSA-2018-2.0-0076 (deprecated)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0260.NASL
    description An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. (CVE-2018-1049)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 106566
    published 2018-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106566
    title CentOS 7 : systemd (CESA-2018:0260)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-117.NASL
    description This update for systemd fixes several issues. This security issue was fixed : - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed : - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 106548
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106548
    title openSUSE Security Update : systemd (openSUSE-2018-117)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3558-1.NASL
    description Karim Hossen & Thomas Imbert and Nelson William Gamazo Sanchez independently discovered that systemd-resolved incorrectly handled certain DNS responses. A remote attacker could possibly use this issue to cause systemd to temporarily stop responding, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-15908) It was discovered that systemd incorrectly handled automounted volumes. A local attacker could possibly use this issue to cause applications to hang, resulting in a denial of service. (CVE-2018-1049). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106620
    published 2018-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106620
    title Ubuntu 14.04 LTS / 16.04 LTS : systemd vulnerabilities (USN-3558-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1243.NASL
    description According to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.(CVE-2018-1049) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 117552
    published 2018-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117552
    title EulerOS Virtualization 2.5.0 : systemd (EulerOS-SA-2018-1243)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0167.NASL
    description An update of 'vim', 'ntp', 'openjdk', 'libmspack', 'blktrace', 'systemd', 'perl' packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111946
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111946
    title Photon OS 1.0: Blktrace / Libmspack / Ntp / Openjdk / Perl / Systemd / Vim PHSA-2018-1.0-0167 (deprecated)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0260.NASL
    description An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. (CVE-2018-1049)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 106553
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106553
    title RHEL 7 : systemd (RHSA-2018:0260)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0260.NASL
    description From Red Hat Security Advisory 2018:0260 : An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. (CVE-2018-1049)
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 106571
    published 2018-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106571
    title Oracle Linux 7 : systemd (ELSA-2018-0260)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0076_SYSTEMD.NASL
    description An update of the systemd package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121972
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121972
    title Photon OS 2.0: Systemd PHSA-2018-2.0-0076
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-961.NASL
    description Access to automounted volumes can lock up A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service.(CVE-2018-1049)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 109129
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109129
    title Amazon Linux 2 : systemd (ALAS-2018-961)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0299-1.NASL
    description This update for systemd fixes several issues. This security issue was fixed : - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106529
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106529
    title SUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2018:0299-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1580.NASL
    description systemd was found to suffer from multiple security vulnerabilities ranging from denial of service attacks to possible root privilege escalation. CVE-2018-1049 A race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted. CVE-2018-15686 A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. CVE-2018-15688 A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd, which is not enabled by default in Debian. For Debian 8 'Jessie', these problems have been fixed in version 215-17+deb8u8. We recommend that you upgrade your systemd packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-11
    plugin id 119039
    published 2018-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119039
    title Debian DLA-1580-1 : systemd security update
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0167_SYSTEMD.NASL
    description An update of the systemd package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121866
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121866
    title Photon OS 1.0: Systemd PHSA-2018-1.0-0167
redhat via4
advisories
bugzilla
id 1534701
title CVE-2018-1049 systemd: automount: access to automounted volumes can lock up
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment libgudev1 is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260023
      • comment libgudev1 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610014
    • AND
      • comment libgudev1-devel is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260007
      • comment libgudev1-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610010
    • AND
      • comment systemd is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260009
      • comment systemd is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610008
    • AND
      • comment systemd-devel is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260017
      • comment systemd-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610022
    • AND
      • comment systemd-journal-gateway is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260019
      • comment systemd-journal-gateway is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610020
    • AND
      • comment systemd-libs is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260021
      • comment systemd-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610006
    • AND
      • comment systemd-networkd is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260013
      • comment systemd-networkd is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610016
    • AND
      • comment systemd-python is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260005
      • comment systemd-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610012
    • AND
      • comment systemd-resolved is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260015
      • comment systemd-resolved is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610018
    • AND
      • comment systemd-sysv is earlier than 0:219-42.el7_4.7
        oval oval:com.redhat.rhsa:tst:20180260011
      • comment systemd-sysv is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610024
rhsa
id RHSA-2018:0260
released 2018-01-31
severity Moderate
title RHSA-2018:0260: systemd security update (Moderate)
rpms
  • libgudev1-0:219-42.el7_4.7
  • libgudev1-devel-0:219-42.el7_4.7
  • systemd-0:219-42.el7_4.7
  • systemd-devel-0:219-42.el7_4.7
  • systemd-journal-gateway-0:219-42.el7_4.7
  • systemd-libs-0:219-42.el7_4.7
  • systemd-networkd-0:219-42.el7_4.7
  • systemd-python-0:219-42.el7_4.7
  • systemd-resolved-0:219-42.el7_4.7
  • systemd-sysv-0:219-42.el7_4.7
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1534701
mlist [debian-lts-announce] 20181119 [SECURITY] [DLA 1580-1] systemd security update
sectrack 1041520
ubuntu USN-3558-1
Last major update 16-02-2018 - 16:29
Published 16-02-2018 - 16:29
Last modified 20-11-2018 - 06:29
Back to Top