Описание
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
A flaw was found in the systemd-coredump utility of systemd. When an application crashes, the systemd-coredump utility is called twice, once by the kernel and the second time in the systemd-coredump@.service to write the data, process, and save the core file. Communication between the programs is made through a pipe, and when there is too much data through a long backtrace or many linked libraries, the pipe blocks while waiting for the data, resulting in a timeout of the systemd-coredump@.service.
Отчет
This vulnerability is only triggered when an application crashes and there is too much data about the crash that needs to be passed to the systemd-coredump utility, specifically more than 65536 bytes, and it will result in a Denial of Service. For this reason, this flaw has been rated as having a moderate security impact. The systemd-coredump utility of systemd as shipped with Red Hat Enterprise Linux 8 does not use the inter-process communication related to this flaw. Therefore, it's not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | NetworkManager | Out of support scope | ||
| Red Hat Enterprise Linux 7 | systemd | Out of support scope | ||
| Red Hat Enterprise Linux 8 | NetworkManager | Not affected | ||
| Red Hat Enterprise Linux 8 | systemd | Not affected | ||
| Red Hat Enterprise Linux 9 | systemd | Fixed | RHSA-2023:0954 | 28.02.2023 |
| Red Hat Enterprise Linux 9 | systemd | Fixed | RHSA-2023:0954 | 28.02.2023 |
Показывать по
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
systemd 250 and 251 allows local users to achieve a systemd-coredump d ...
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
5.5 Medium
CVSS3