Login Sign Up

CVE-2019-19725

9.8 CRITICAL
Denial of Service

📋 TL;DR

CVE-2019-19725 is a double-free vulnerability in sysstat's sa_common.c that allows memory corruption. Attackers can exploit this to potentially execute arbitrary code or cause denial of service. Systems running sysstat versions through 12.2.0 are affected.

💻 Affected Systems

Products:
  • sysstat
Versions: All versions through 12.2.0
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in check_file_actlst function when processing activity files

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Sysstat by Sysstat Project

View all CVEs affecting Sysstat →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Denial of service through application crash or local privilege escalation

🟢

If Mitigated

Limited impact if sysstat runs with minimal privileges and memory protections are enabled

🌐 Internet-Facing: LOW - sysstat is typically used locally for system monitoring
🏢 Internal Only: MEDIUM - attackers with local access could exploit this for privilege escalation

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access to trigger the double-free condition

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.2.1 and later

Vendor Advisory: https://github.com/sysstat/sysstat/issues/242

Restart Required: No

Instructions:

1. Update sysstat package using your distribution's package manager
2. For Debian/Ubuntu: sudo apt update && sudo apt install sysstat
3. For RHEL/CentOS: sudo yum update sysstat
4. For source installation: Download and compile version 12.2.1+ from sysstat GitHub

🔧 Temporary Workarounds

Disable sysstat data collection

linux

Stop sysstat from collecting and processing activity files

sudo systemctl stop sysstat
sudo systemctl disable sysstat

Remove vulnerable binary

linux

Temporarily remove or restrict access to vulnerable sysstat binaries

sudo chmod 000 /usr/lib/sysstat/sa_common
sudo mv /usr/lib/sysstat/sa_common /usr/lib/sysstat/sa_common.bak

🧯 If You Can't Patch

  • Run sysstat with reduced privileges using SELinux/AppArmor
  • Implement strict access controls to limit who can execute sysstat commands

🔍 How to Verify

Check if Vulnerable:

Check sysstat version: sadc -V | grep 'sysstat version'

Check Version:

sadc -V | grep 'sysstat version' || sysstat --version

Verify Fix Applied:

Verify version is 12.2.1 or higher: sadc -V | grep 'sysstat version'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults in sysstat processes
  • Abnormal memory usage patterns in sysstat

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

process.name:sadc AND event.outcome:failure OR process.name:sadc AND event.severity:critical

📊 Metadata

CVE ID: CVE-2019-19725
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: December 11, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19725, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2019-5481 9.8

CVE-2019-5481 is a double-free vulnerability in cURL's FTP-kerberos code that allows remote attacker...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)