Think you have a false positive on this rule?

Sid 1-49618

Message

FILE-OTHER Unix systemd-journald memory corruption attempt

Summary

This event is generated when poc exploiting systemd-journald is transferred to client

Impact

Attempted Administrator Privilege Gain

CVE-2018-16864:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

CVE-2018-16865:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2018-16864: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.

CVE-2018-16865: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.

Affected systems

  • freedesktop systemd 240
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 18.04
  • canonical ubuntu_linux 18.10
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • redhat enterpriselinuxdesktop 7.0
  • redhat enterpriselinuxserver 7.0
  • redhat enterpriselinuxserver 7.4
  • redhat enterpriselinuxserver 7.5
  • redhat enterpriselinuxserver 7.6
  • redhat enterpriselinuxserver_aus 7.6
  • redhat enterpriselinuxserver_eus 7.4
  • redhat enterpriselinuxserver_eus 7.6
  • redhat enterpriselinuxserver_tus 7.6
  • redhat enterpriselinuxworkstation 7.0
  • redhat virtualization 4.0
  • redhat enterpriselinuxserver_eus 7.5

Ease of attack

CVE-2018-16864:

Access Vector

Access Complexity

Authentication

CVE-2018-16865:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • exploit.delivery/systemdjournaldexploitnoaslr.py