ASA-2019-00531 – systemd: Missing access controls on systemd-resolved’s D-Bus interface

Allele Security Alert



ASA-2019-00531, CVE-2019-15718


Missing access controls on systemd-resolved’s D-Bus interface


The systemd project



Affected version(s)

systemd versions before v243

Fixed version(s)

systemd version v243

Proof of concept



It was discovered that systemd-resolved does not enforce appropriate access controls on its D-Bus interface and allows unprivileged users to execute methods that are meant to be available only to privileged users. This can be exploited by local users to modify the system’s DNS resolver settings.

Technical details

The function manager_connect_bus() in src/resolve/resolved-bus.c opens a connection to the system bus using the bus_open_system_watch_bind_with_description() helper function, which is defined in src/shared/bus-util.c.

This helper function calls sd_bus_set_trusted(). This has the effect of disabling access controls, even for members that are defined without the SD_BUS_VTABLE_UNPRIVILEGED flag – the absence of which should deny access from unprivileged clients. See check_access() in src/libsystemd/sd-bus/bus-objects.c:

static int check_access(sd_bus *bus, sd_bus_message *m, struct
vtable_member *c, sd_bus_error *error) {
uint64_t cap;
int r;


/* If the entire bus is trusted let's grant access */
if (bus->trusted)
return 0;

/* If the member is marked UNPRIVILEGED let's grant access */
if (c->vtable->flags & SD_BUS_VTABLE_UNPRIVILEGED)
return 0;

timesyncd and networkd both use the same helper function to connect to the system bus, but both of these are unaffected by this bug. In timesyncd’s case, it only exposes some read-only properties and these don’t have access controls. In networkd’s case, all methods are annotated with SD_BUS_VTABLE_UNPRIVILEGED and it uses policykit for enforcing access controls.


Nadav Markus (Palo Alto Networks)


CVE-2019-15718: Missing access controls on systemd-resolved’s D-Bus interface

Resolved issue by keszybz · Pull Request #13457 · systemd/systemd

shared/but-util: drop trusted annotation from bus_open_system_watch_bind_with_description()

CVE-2019-15718 - Red Hat Customer Portal

CVE-2019-15718 in Ubuntu


CVE-2019-15718 | SUSE



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.