Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 620
Alerts This Week
Warning Icon 1 620

Ubuntu 18.10, 18.04 LTS: USN-3816-1 Moderate: Systemd Exploits

ubuntu
Calendar Grey November 12, 2018
Dist Ubuntu Esm H88
Various vulnerabilities in systemd have been addressed in Ubuntu, which impacted local privilege elevation and symlink exploits.
Several security issues were fixed in systemd.

Summary

Several security issues were fixed in systemd.

Software Description:

- systemd: system and service manager

Details:

Jann Horn discovered that unit_deserialize incorrectly handled status messages

above a certain length. A local attacker could potentially exploit this via

NotifyAccess to inject arbitrary state across re-execution and obtain root

privileges. (CVE-2018-15686)

Jann Horn discovered a race condition in chown_one(). A local attacker

could potentially exploit this by setting arbitrary permissions on certain

files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS

and Ubuntu 18.10. (CVE-2018-15687)

It was discovered that systemd-tmpfiles mishandled symlinks in

non-terminal path components. A local attacker could potentially exploit

this by gaining ownership of certain files to obtain root privileges. This

issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  systemd                         239-7ubuntu10.3

Ubuntu 18.04 LTS:
  systemd                         237-3ubuntu10.6

Ubuntu 16.04 LTS:
  systemd                         229-4ubuntu21.8

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3816-1

CVE-2018-15686, CVE-2018-15687, CVE-2018-6954

November 12, 2018

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.