D-Bus Messaging Vulnerability in Systemd 240 Affects Red Hat and Fedora
CVE-2019-15718

4.4MEDIUM

Key Information:

Vendor

Systemd Project

Status
Systemd
Vendor
CVE Published:
4 September 2019

What is CVE-2019-15718?

In systemd version 240, a vulnerability exists due to improper handling of D-Bus message access controls. Specifically, the function bus_open_system_watch_bind_with_description in shared/bus-util.c, utilized by systemd-resolved, invokes sd_bus_set_trusted. This action inadvertently allows unprivileged users to bypass essential access controls. Consequently, they can execute D-Bus methods that should be restricted to privileged users, potentially altering the system's DNS resolver settings. This poses a significant risk of unauthorized DNS manipulation, which could lead to broader security implications.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1746057
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2019/09/03/1
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.