systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled. Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 Upstream commit: https://github.com/systemd/systemd/pull/12378
Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1716956]
The fix implemented in [1] seems to cause a regression, which was reported upstream at [2]. It is still not clear what the right fix for this CVE will be, as there is a PR[3] under review to revert the fix [1] [1] https://github.com/systemd/systemd/pull/12378 [2] https://github.com/systemd/systemd/issues/12616 [3] https://github.com/systemd/systemd/pull/12739
To see the leaked passwords in VT1, the attacker needs to either be root or be physically in front of the computer (AV:P). Also, it's required for the victim users to be physically in front of the computer as well and login after the vulnerability is triggered (UI:R).
Given what said in comment 5, I'm lowering the Impact to Moderate.
The fix that supposedly should had fixed this CVE was actually reverted upstream in https://github.com/systemd/systemd/commit/ad3f86e6a4e5f2d5d64c81f9a30f250b624284fa .
Closing the flaw bug as NOTABUG because the supposed fix was actually reverted and it's not clear whether the issue was really in systemd or not. See also: https://github.com/systemd/systemd/pull/13109 https://gitlab.freedesktop.org/xorg/xserver/issues/857