CVE-2022-45873 - OpenCVE

systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Systemd Project	Systemd
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:systemd_project:systemd::::::::
	cpe:2.3:a:systemd_project:systemd:252:rc1::::::
	cpe:2.3:a:systemd_project:systemd:252:rc2::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437	Patch Third Party Advisory
https://github.com/systemd/systemd/pull/24853#issuecomment-1326561497	Issue Tracking Patch Third Party Advisory
https://github.com/systemd/systemd/pull/25055#issuecomment-1313733553	Issue Tracking Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MS5N5SLYAHKENLAJWYBDKU55ICU3SVZF/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-23T00:00:00

Updated: 2022-12-31T00:00:00

Reserved: 2022-11-23T00:00:00

Link: CVE-2022-45873

JSON object: View

NVD Information

Status : Modified

Published: 2022-11-23T23:15:10.183

Modified: 2023-11-07T03:54:55.553

Link: CVE-2022-45873

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AE4E7F2-A943-44CA-B44F-BDE0F8D09B53", "versionEndIncluding": "251", "versionStartIncluding": "250", "vulnerable": true}, {"criteria": "cpe:2.3:a:systemd_project:systemd:252:rc1:*:*:*:*:*:*", "matchCriteriaId": "55FF285C-8DFC-4A67-A426-1ADE349BEF8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:systemd_project:systemd:252:rc2:*:*:*:*:*:*", "matchCriteriaId": "0E0E4355-1411-43F3-8DCE-700BE15FC71C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file."}, {"lang": "es", "value": "systemd 250 y 251 permiten a los usuarios locales lograr un punto muerto en systemd-coredump al desencadenar un bloqueo que tiene un largo backtrace. Esto ocurre en parse_elf_object enshared/elf-util.c. La metodolog\u00eda de explotaci\u00f3n consiste en bloquear un binario que llama a la misma funci\u00f3n de forma recursiva y colocarlo en un directorio profundamente anidado para que su seguimiento sea lo suficientemente grande como para provocar el punto muerto. Esto se debe hacer 16 veces cuando se establece MaxConnections=16 para el archivo systemd/units/systemd-coredump.socket."}], "id": "CVE-2022-45873", "lastModified": "2023-11-07T03:54:55.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-23T23:15:10.183", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/systemd/systemd/pull/24853#issuecomment-1326561497"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/systemd/systemd/pull/25055#issuecomment-1313733553"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MS5N5SLYAHKENLAJWYBDKU55ICU3SVZF/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}