{
  "threat_severity" : "Moderate",
  "public_date" : "2019-09-03T15:00:00Z",
  "bugzilla" : {
    "description" : "systemd: systemd-resolved allows unprivileged users to configure DNS",
    "id" : "1746057",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1746057"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-285",
  "details" : [ "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", "An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. An unprivileged local attacker could call all DBus methods, even when marked as privileged operations. An attacker could abuse this flaw by changing the DNS, Search Domain, LLMNR, DNSSEC and other network link settings without any authorization, allowing control of the network names resolution process and cause the system to communicate with wrong or malicious servers." ],
  "statement" : "This issue does not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the shipped systemd-resolved does not provide any privileged DBus method.\nThis issue does affect the versions of systemd as shipped with Red Hat Enterprise Linux 8, however the systemd-resolved service is not enabled by default, so the flaw cannot be exploited unless the service was manually enabled.\nThe flaw was rated as Moderate as it requires a local attacker and changing the DNS servers cannot compromise the system by itself, though it could be used for phishing attacks or to redirect the users to malicious websites. Moreover, on Red Hat Enterprise Linux 8 systemd-resolved needs to be manually enabled by an administrator to make the system vulnerable.\nOpenShift Container Platform 4 includes a vulnerable version of systemd on RHEL CoreOS nodes. However, the systemd-resolved service is removed from RHEL CoreOS instances, making this vulnerability not exploitable. This flaw is rated Low for OpenShift Container Platform 4.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-11-05T00:00:00Z",
    "advisory" : "RHSA-2019:3592",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "systemd-0:239-18.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "release_date" : "2019-11-21T00:00:00Z",
    "advisory" : "RHSA-2019:3941",
    "cpe" : "cpe:/a:redhat:openshift:4.1",
    "package" : "machine-os-content-container"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "systemd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-15718\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15718" ],
  "name" : "CVE-2019-15718",
  "mitigation" : {
    "value" : "Disable systemd-resolved service by using `sudo systemctl disable systemd-resolved`.",
    "lang" : "en:us"
  },
  "csaw" : false
}