This article is more than 1 year old
Don't panic, but Linux's Systemd can be pwned via an evil DNS query
PS, Alpine users, you need to get patching, too – for other reasons
Systemd, the Linux world's favorite init monolith, can be potentially crashed or hijacked by malicious DNS servers. Patches are available to address the security flaw, and should be installed ASAP if you're affected.
Looking up a hostname from a vulnerable Systemd-powered PC, handheld, gizmo or server can be enough to trigger an attack by an evil DNS service: the software's
resolved component can be fooled into allocating too little memory for a lookup response, and when a large reply is eventually received, this data overflows the buffer allowing the attacker to overwrite memory. This can crash the process or lead to remote code execution, meaning the remote evil DNS service can run malware on your box.
"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," explained Chris Coulson, of Ubuntu maker Canonical, who discovered the out-of-bounds write in
The programming blunder, assigned the ID CVE-2017-9445, was accidentally introduced in Systemd version 223 in June 2015 and is present all the way up to and including version 233 in March this year.
This means it is present in Ubuntu versions 17.04 and 16.10. Canonical has put out a pair of fixes for 17.04 and 16.10 to address the flaw.
The bug is technically present in Debian Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable), however "systemd-resolved is not enabled by default in Debian," according to the project's Salvatore Bonaccorso, so either you have nothing to worry about, apply the patch yourself, or hang tight for the next point release.
Various other Linux distros use Systemd, too: check to make sure there are no updates available and ready to install for your version of
systemd-resolved via the usual package manager. If there are, well, you know what to do.
Meanwhile, researcher Ariel Zelivansky has found some security bugs in Alpine Linux's package manager apk. The flaws, assigned CVE-2017-9669 and CVE-2017-9671, allow remote code execution on Alpine Linux instances (including Docker runs), via a buffer overflows in the handling of package files.
"The only prerequisite would be to figure out the memory layout of the program," Zelivansky said. "Protections like ASLR or other hardenings may block the attacker from succeeding, but he may be able to get around it and still achieve execution." ®