This article is more than 1 year old
Penguins force-fed root: Cruel security flaw found in
Opens door to privilege escalation attacks
Some Linux distros will need to be updated following the discovery of an easily exploitable flaw in a core system management component.
The CVE-2016-10156 security hole in
systemd v228 opens the door to privilege escalation attacks, creating a means for hackers to root systems locally if not across the internet. The vulnerability is fixed in
Essentially, it is possible to create world-readable, world-writeable setuid executable files that are root owned by setting all the mode bits in a call to
systemd changelog for the fix reads:
basic: fix touch() creating files with 07777 mode
mode_t is unsigned, so MODE_INVALID < 0 can never be true.
This fixes a possible [denial of service] where any user could fill /run by writing to a world-writable /run/systemd/show-status.
However, as pointed out by security researcher Sebastian Krahmer, the flaw is worse than a denial-of-service vulnerability – it can be exploited by a malicious program or logged-in user to gain administrator access: "Mode 07777 also contains the suid bit, so files created by touch() are world writable suids, root owned."
The security bug was quietly fixed in January 2016 back when it was thought to pose only a system-crashing risk. Now the programming blunder has been upgraded this week following a reevaluation of its severity. The bug now weighs in at a CVSS score of 7.2, towards the top end of the 1-10 scale.
It's a local root exploit, so it requires access to the system in question to exploit, but it pretty much boils down to "create a powerful file in a certain way, and gain root on the server." It's trivial to pull off.
"Newer" versions of
systemd deployed by Fedora or Ubuntu have been secured, but Debian systems are still running an older version and therefore need updating.
systemd is a suite for building blocks for Linux systems that provides system and service management technology. Security specialists view it with suspicion and complaints about function creep are not uncommon. ®