ID CVE-2019-6454
Summary An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
References
Vulnerable Configurations
  • cpe:2.3:a:freedesktop:systemd:239
    cpe:2.3:a:freedesktop:systemd:239
  • openSUSE Leap 15.0
    cpe:2.3:o:opensuse:leap:15.0
  • cpe:2.3:a:netapp:active_iq_performance_analytics_services
    cpe:2.3:a:netapp:active_iq_performance_analytics_services
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Fedora 29
    cpe:2.3:o:fedoraproject:fedora:29
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.10
    cpe:2.3:o:canonical:ubuntu_linux:18.10
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 4.9
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3891-1.NASL
    description It was discovered that systemd incorrectly handled certain D-Bus messages. A local unprivileged attacker could exploit this in order to crash the init process, resulting in a system denial-of-service (kernel panic). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 122314
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122314
    title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : systemd vulnerability (USN-3891-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0425-1.NASL
    description This update for systemd fixes the following issues : Security vulnerability fixed : CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 122311
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122311
    title SUSE SLES12 Security Update : systemd (SUSE-SU-2019:0425-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2019-0368.NASL
    description An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-22
    modified 2019-02-21
    plugin id 122350
    published 2019-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122350
    title CentOS 7 : systemd (CESA-2019:0368)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0426-1.NASL
    description This update for systemd fixes the following issues : CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) logind: fix bad error propagation login: log session state 'closing' (as well as New/Removed) logind: fix borked r check login: don't remove all devices from PID1 when only one was removed login: we only allow opening character devices login: correct comment in session_device_free() login: remember that fds received from PID1 need to be removed eventually login: fix FDNAME in call to sd_pid_notify_with_fds() logind: fd 0 is a valid fd logind: rework sd_eviocrevoke() logind: check file is device node before using .st_rdev logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) core: add a new sd_notify() message for removing fds from the FD store again logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) fd-util: accept that kcmp might fail with EPERM/EACCES core: Fix use after free case in load_from_path() (bsc#1121563) core: include Found state in device dumps device: fix serialization and deserialization of DeviceFound fix path in btrfs rule (#6844) assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) Update systemd-system.conf.xml (bsc#1122000) units: inform user that the default target is started after exiting from rescue or emergency mode core: free lines after reading them (bsc#1123892) sd-bus: if we receive an invalid dbus message, ignore and proceeed automount: don't pass non-blocking pipe to kernel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 122312
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122312
    title SUSE SLED15 / SLES15 Security Update : systemd (SUSE-SU-2019:0426-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2019-0368.NASL
    description From Red Hat Security Advisory 2019:0368 : An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2019-02-20
    plugin id 122325
    published 2019-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122325
    title Oracle Linux 7 : systemd (ELSA-2019-0368)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0424-1.NASL
    description This update for systemd fixes the following issues : Security vulnerability fixed : CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 122310
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122310
    title SUSE SLES12 Security Update : systemd (SUSE-SU-2019:0424-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1684.NASL
    description Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. For Debian 8 'Jessie', this problem has been fixed in version 215-17+deb8u10. We recommend that you upgrade your systemd packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-20
    plugin id 122319
    published 2019-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122319
    title Debian DLA-1684-1 : systemd security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2019-8434288A24.NASL
    description - Prevent buffer overread in systemd-udevd - Properly validate dbus paths received over dbus (#1678394, CVE-2019-6454) No need to log out or reboot. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-23
    modified 2019-02-22
    plugin id 122371
    published 2019-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122371
    title Fedora 29 : systemd (2019-8434288a24)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4393.NASL
    description Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 122270
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122270
    title Debian DSA-4393-1 : systemd - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2019-0368.NASL
    description An update for systemd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es) : * systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2019-02-20
    plugin id 122334
    published 2019-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122334
    title RHEL 7 : systemd (RHSA-2019:0368)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2019-1164.NASL
    description It was found that bus_process_object() in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the currently mapped stack region, jumping over the stack guard pages. A specifically crafted DBUS nessage could crash PID 1 and result in a subsequent kernel panic.(CVE-2019-6454)
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 122261
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122261
    title Amazon Linux 2 : systemd (ALAS-2019-1164)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0428-1.NASL
    description This update for systemd fixes the following issues : Security vulnerability fixed : CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352) Other bug fixes and changes: journal-remote: set a limit on the number of fields in a message journal-remote: verify entry length from header journald: set a limit on the number of fields (1k) journald: do not store the iovec entry for process commandline on stack core: include Found state in device dumps device: fix serialization and deserialization of DeviceFound fix path in btrfs rule (#6844) assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) Update systemd-system.conf.xml (bsc#1122000) units: inform user that the default target is started after exiting from rescue or emergency mode manager: don't skip sigchld handler for main and control pid for services (#3738) core: Add helper functions unit_{main, control}_pid manager: Fixing a debug printf formatting mistake (#3640) manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382) core: update invoke_sigchld_event() to handle NULL ->sigchld_event() sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631) unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344) core: when restarting services, don't close fds cryptsetup: Add dependency on loopback setup to generated units journal-gateway: use localStorage['cursor'] only when it has valid value journal-gateway: explicitly declare local variables analyze: actually select longest activated-time of services sd-bus: fix implicit downcast of bitfield reported by LGTM core: free lines after reading them (bsc#1123892) pam_systemd: reword message about not creating a session (bsc#1111498) pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498) main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658) sd-bus: if we receive an invalid dbus message, ignore and proceeed automount: don't pass non-blocking pipe to kernel. units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-20
    plugin id 122340
    published 2019-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122340
    title SUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2019:0428-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20190221_SYSTEMD_ON_SL7_X.NASL
    description Security Fix(es) : - systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454)
    last seen 2019-02-23
    modified 2019-02-22
    plugin id 122392
    published 2019-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122392
    title Scientific Linux Security Update : systemd on SL7.x x86_64
redhat via4
advisories
bugzilla
id 1667032
title CVE-2019-6454 systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment libgudev1 is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368017
      • comment libgudev1 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610014
    • AND
      • comment libgudev1-devel is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368021
      • comment libgudev1-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610010
    • AND
      • comment systemd is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368007
      • comment systemd is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610008
    • AND
      • comment systemd-devel is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368009
      • comment systemd-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610022
    • AND
      • comment systemd-journal-gateway is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368011
      • comment systemd-journal-gateway is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610020
    • AND
      • comment systemd-libs is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368023
      • comment systemd-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610006
    • AND
      • comment systemd-networkd is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368019
      • comment systemd-networkd is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610016
    • AND
      • comment systemd-python is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368013
      • comment systemd-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610012
    • AND
      • comment systemd-resolved is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368005
      • comment systemd-resolved is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610018
    • AND
      • comment systemd-sysv is earlier than 0:219-62.el7_6.5
        oval oval:com.redhat.rhsa:tst:20190368015
      • comment systemd-sysv is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162610024
rhsa
id RHSA-2019:0368
released 2019-02-19
severity Important
title RHSA-2019:0368: systemd security update (Important)
rpms
  • libgudev1-0:219-62.el7_6.5
  • libgudev1-devel-0:219-62.el7_6.5
  • systemd-0:219-62.el7_6.5
  • systemd-devel-0:219-62.el7_6.5
  • systemd-journal-gateway-0:219-62.el7_6.5
  • systemd-libs-0:219-62.el7_6.5
  • systemd-networkd-0:219-62.el7_6.5
  • systemd-python-0:219-62.el7_6.5
  • systemd-resolved-0:219-62.el7_6.5
  • systemd-sysv-0:219-62.el7_6.5
refmap via4
bid 107081
confirm
debian DSA-4393-1
fedora FEDORA-2019-8434288a24
misc https://github.com/systemd/systemd/commits/master/src/libsystemd/sd-bus/bus-objects.c
mlist
  • [SECURITY] [DLA 1684-1] 20190219 systemd security update
  • [oss-security] 20190218 CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message
  • [oss-security] 20190219 CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message
suse SUSE-SA:2019:0255-1
ubuntu USN-3891-1
Last major update 21-03-2019 - 12:01
Published 21-03-2019 - 12:01
Last modified 10-04-2019 - 04:29
Back to Top