CVE-2018-20839

Published: 17 May 2019

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
systemd
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Deferred

Ubuntu 20.10 (Groovy Gorilla) Deferred

Ubuntu 20.04 LTS (Focal Fossa) Deferred

Ubuntu 18.04 LTS (Bionic Beaver) Deferred

Ubuntu 16.04 LTS (Xenial Xerus) Deferred

Ubuntu 14.04 ESM (Trusty Tahr) Deferred

Patches:
Upstream: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
Upstream: https://github.com/systemd/systemd/commit/bb5ac84d79ac3aef606a4a9eeaafef94a1f199be
Upstream: https://github.com/systemd/systemd/commit/13a43c73d8cbac4b65472de04bb88ea1bacdeb89