systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Systemd | Systemd_project | 239 (including) | 257.11 (excluding) |
| Systemd | Systemd_project | 258 (including) | 258.5 (excluding) |
| Systemd | Systemd_project | 259 (including) | 259.2 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | systemd-0:257-13.el10_1.3 | * |
| Red Hat Enterprise Linux 10 | RedHat | systemd-0:257-23.el10_2.1 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | systemd-0:257-9.el10_0.2 | * |
| Red Hat Enterprise Linux 9 | RedHat | systemd-0:252-55.el9_7.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | systemd-0:252-67.el9_8.2 | * |
| Red Hat Enterprise Linux 9 | RedHat | systemd-0:252-55.el9_7.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | systemd-0:252-67.el9_8.2 | * |
| Red Hat Hardened Images | RedHat | systemd-main-260.1-2.1.hum1 | * |
| Red Hat Insights proxy 1.5 | RedHat | insights-proxy/insights-proxy-container-rhel9:1780420428 | * |
| Red Hat OpenShift distributed tracing 3.9.3 | RedHat | rhosdt/opentelemetry-collector-rhel9:1778056267 | * |
| Red Hat OpenShift distributed tracing 3.9.3 | RedHat | rhosdt/opentelemetry-rhel9-operator:1778056233 | * |
| Red Hat OpenShift distributed tracing 3.9.3 | RedHat | rhosdt/opentelemetry-target-allocator-rhel9:1778056245 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/cds-rhel9:1779798159 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/haproxy-rhel9:1779798164 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/installer-rhel9:1779798165 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/rhua-rhel9:1779798222 | * |
| Systemd | Ubuntu | esm-infra/focal | * |
| Systemd | Ubuntu | jammy | * |
| Systemd | Ubuntu | noble | * |
| Systemd | Ubuntu | questing | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a
- https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6
- https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412
- https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd
- https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f
- https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f
- https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69
- https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6
- https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c
- https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8
- https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764