An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1 causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).

🗓️ 18 Aug 2020 07:00:00Reported by MicrosoftType

sd-bus stack buffer in bus-objects.c can crash PID 1 and kernel via crafted messages from an unprivileged user.

Reporter	Title	Published	Views	Family All 141
ALT Linux	Security fix for the ALT Linux 9 package systemd version 1:241-alt2	19 Feb 201900:00	–	altlinux
IBM Security Bulletins	Security Bulletin: IBM MQ Advanced CloudPaks are vulnerable to a denial of service attack within the Systemd package (CVE-2019-6454)	26 Feb 201912:30	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabiliies in systemd affect PowerKVM	4 Mar 201905:50	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in systemd affects Power Hardware Management Console (CVE-2019-6454)	22 Sep 202123:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities	19 Aug 201920:44	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in systemd affects Power Hardware Management Console (CVE-2019-6454)	22 Sep 202123:52	–	ibm
Tenable Nessus	Amazon Linux 2 : systemd (ALAS-2019-1164)	19 Feb 201900:00	–	nessus
Tenable Nessus	Amazon Linux 2 : systemd (ALAS-2021-1643) (deprecated)	24 May 202100:00	–	nessus
Tenable Nessus	CentOS 8 : systemd (CESA-2019:0990)	29 Jan 202100:00	–	nessus
Tenable Nessus	CentOS 7 : systemd (CESA-2019:0368)	21 Feb 201900:00	–	nessus