systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. 0day), running the service in question with root privileges rather than the user intended.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Systemd | Systemd_project | 229 (including) | 234 (excluding) |
| Systemd | Ubuntu | esm-infra/xenial | * |
| Systemd | Ubuntu | upstream | * |
| Systemd | Ubuntu | vivid/ubuntu-core | * |
| Systemd | Ubuntu | xenial | * |
| Systemd | Ubuntu | yakkety | * |
| Systemd | Ubuntu | zesty | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- http://www.openwall.com/lists/oss-security/2017/07/02/1
- http://www.securityfocus.com/bid/99507
- http://www.securitytracker.com/id/1038839
- https://github.com/systemd/systemd/issues/6237
- http://www.openwall.com/lists/oss-security/2017/07/02/1
- http://www.securityfocus.com/bid/99507
- http://www.securitytracker.com/id/1038839
- https://github.com/systemd/systemd/issues/6237