Bug 1716955 (CVE-2018-20839) - CVE-2018-20839 systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker [NEEDINFO]
Summary: CVE-2018-20839 systemd: mishandling of the current keyboard mode check leadin...
Keywords:
Status: NEW
Alias: CVE-2018-20839
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1716956
Blocks: 1716957
TreeView+ depends on / blocked
 
Reported: 2019-06-04 13:03 UTC by Marian Rehak
Modified: 2019-11-11 13:18 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
rschiron: needinfo? (zjedrzej)
rschiron: needinfo? (lpoetter)


Attachments (Terms of Use)

Description Marian Rehak 2019-06-04 13:03:17 UTC
systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993

Upstream commit:

https://github.com/systemd/systemd/pull/12378

Comment 1 Marian Rehak 2019-06-04 13:03:30 UTC
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1716956]

Comment 4 Riccardo Schirone 2019-06-06 15:34:59 UTC
The fix implemented in [1] seems to cause a regression, which was reported upstream at [2]. It is still not clear what the right fix for this CVE will be, as there is a PR[3] under review to revert the fix [1]

[1] https://github.com/systemd/systemd/pull/12378
[2] https://github.com/systemd/systemd/issues/12616
[3] https://github.com/systemd/systemd/pull/12739

Comment 5 Riccardo Schirone 2019-06-07 13:03:48 UTC
To see the leaked passwords in VT1, the attacker needs to either be root or be physically in front of the computer (AV:P). Also, it's required for the victim users to be physically in front of the computer as well and login after the vulnerability is triggered (UI:R).

Comment 6 Riccardo Schirone 2019-06-07 17:27:17 UTC
Given what said in comment 5, I'm lowering the Impact to Moderate.

Comment 10 Riccardo Schirone 2019-11-08 10:07:48 UTC
The fix that supposedly should had fixed this CVE was actually reverted upstream in https://github.com/systemd/systemd/commit/ad3f86e6a4e5f2d5d64c81f9a30f250b624284fa .


Note You need to log in before you can comment on or make changes to this bug.