[ASA-201910-3] systemd: access restriction bypass
anthraxx at archlinux.org
Thu Oct 3 19:15:04 UTC 2019
Arch Linux Security Advisory ASA-201910-3
Date : 2019-10-02
CVE-ID : CVE-2019-15718
Package : systemd
Type : access restriction bypass
Remote : No
Link : https://security.archlinux.org/AVG-1035
The package systemd before version 243.0-1 is vulnerable to access
Upgrade to 243.0-1.
# pacman -Syu "systemd>=243.0-1"
The problem has been fixed upstream in version 243.0.
An improper authorization flaw was discovered in systemd-resolved
before v234 in the way it configures the exposed DBus interface
org.freedesktop.resolve1. An unprivileged local attacker could call all
DBus methods, even when marked as privileged operations. An attacker
could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC
and other network link settings without any authorization, allowing
control of the network names resolution process and cause the system to
communicate with wrong or malicious servers. Those operations should be
performed only by an high-privileged user.
A local unprivileged attacker is able to change the DNS, Search Domain,
LLMNR, DNSSEC and other network link settings without any
authorization, allowing control of the network names resolution process
and cause the system to communicate with wrong or malicious servers.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security