Описание
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. An unprivileged local attacker could call all DBus methods, even when marked as privileged operations. An attacker could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC and other network link settings without any authorization, allowing control of the network names resolution process and cause the system to communicate with wrong or malicious servers.
Отчет
This issue does not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the shipped systemd-resolved does not provide any privileged DBus method. This issue does affect the versions of systemd as shipped with Red Hat Enterprise Linux 8, however the systemd-resolved service is not enabled by default, so the flaw cannot be exploited unless the service was manually enabled. The flaw was rated as Moderate as it requires a local attacker and changing the DNS servers cannot compromise the system by itself, though it could be used for phishing attacks or to redirect the users to malicious websites. Moreover, on Red Hat Enterprise Linux 8 systemd-resolved needs to be manually enabled by an administrator to make the system vulnerable. OpenShift Container Platform 4 includes a vulnerable version of systemd on RHEL CoreOS nodes. However, the systemd-resolved service is removed from RHEL CoreOS instances, making this vulnerability not exploitable. This flaw is rated Low for OpenShift Container Platform 4.
Меры по смягчению последствий
Disable systemd-resolved service by using sudo systemctl disable systemd-resolved.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | systemd | Not affected | ||
| Red Hat Enterprise Linux 8 | systemd | Fixed | RHSA-2019:3592 | 05.11.2019 |
| Red Hat OpenShift Container Platform 4 | machine-os-content-container | Fixed | RHSA-2019:3941 | 21.11.2019 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
In systemd 240, bus_open_system_watch_bind_with_description in shared/ ...
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
ELSA-2019-3592: systemd security, bug fix, and enhancement update (MODERATE)
5.3 Medium
CVSS3