Don't panic, but Linux's Systemd can be pwned via an evil DNS query

PS, Alpine users, you need to get patching, too – for other reasons


Systemd, the Linux world's favorite init monolith, can be potentially crashed or hijacked by malicious DNS servers. Patches are available to address the security flaw, and should be installed ASAP if you're affected.

Looking up a hostname from a vulnerable Systemd-powered PC, handheld, gizmo or server can be enough to trigger an attack by an evil DNS service: the software's resolved component can be fooled into allocating too little memory for a lookup response, and when a large reply is eventually received, this data overflows the buffer allowing the attacker to overwrite memory. This can crash the process or lead to remote code execution, meaning the remote evil DNS service can run malware on your box.

"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," explained Chris Coulson, of Ubuntu maker Canonical, who discovered the out-of-bounds write in systemd-resolved.

The programming blunder, assigned the ID CVE-2017-9445, was accidentally introduced in Systemd version 223 in June 2015 and is present all the way up to and including version 233 in March this year.

This means it is present in Ubuntu versions 17.04 and 16.10. Canonical has put out a pair of fixes for 17.04 and 16.10 to address the flaw.

The bug is technically present in Debian Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable), however "systemd-resolved is not enabled by default in Debian," according to the project's Salvatore Bonaccorso, so either you have nothing to worry about, apply the patch yourself, or hang tight for the next point release.

Various other Linux distros use Systemd, too: check to make sure there are no updates available and ready to install for your version of systemd-resolved via the usual package manager. If there are, well, you know what to do.

Meanwhile, researcher Ariel Zelivansky has found some security bugs in Alpine Linux's package manager apk. The flaws, assigned CVE-2017-9669 and CVE-2017-9671, allow remote code execution on Alpine Linux instances (including Docker runs), via a buffer overflows in the handling of package files.

"The only prerequisite would be to figure out the memory layout of the program," Zelivansky said. "Protections like ASLR or other hardenings may block the attacker from succeeding, but he may be able to get around it and still achieve execution." ®


Other stories you might like

  • Now that's wafer thin: Some manufacturers had less than five days of chip supplies, says Uncle Sam

    Components fabbed using 40nm-plus process nodes hit hard

    Hardware manufacturers hit hardest by the global semiconductor shortage had less than five days of chips in their inventories last year – and should expect supply chain issues to continue throughout 2022 – the US Department of Commerce said this week.

    Demand for semiconductors skyrocketed during the pandemic as folks purchased more PCs, laptops, and tablets to work or learn from home, and cloud giants scaled up their backend systems to cope. Supply, however, couldn't keep up. The median inventory of semiconductor buyers in 2019 was 40 days of supply. By 2021 that figure was down to less than five days for certain key US sectors, the department said in a report, while demand was up 17 per cent.

    Production was initially slowed at factories around the world due to shelter-at-home orders as the coronavirus pandemic took hold. Some facilities had to temporarily shut down after they were hit with natural disasters, such as fires and snowstorms. But between Q2 2020 and the end of 2021 fabs were operating at over 90 per cent capacity and still couldn't meet global demand.

    Continue reading
  • Baidu's AI predictions for 2022: Autonomous driving! Quantum computing! Space! Human-machine symbiosis!

    Did a computer program tell them to write this?

    Baidu Research's AI-centric "Top 10 Tech Trends in 2022" report has outlined the Middle Kingdom megacorp's predictions for technology over the coming year.

    Baidu CTO Haifeng Wang describes AI as a "key driving force of innovation and development," thanks to rapidly evolving core technologies, cross-domain connectivity, and expanding applications.

    It's no surprise that the list focuses on AI given Baidu's business domain. The Beijing-based company's search engine captures over 70 per cent of the Chinese market while also developing other products, particularly AI research and cloud computing. The research arm takes a deeper look at its associated technologies. Think Google but Chinese.

    Continue reading
  • Nvidia reportedly prepares for un-Arm'd fight with rivals: $40bn takeover may be abandoned

    Softbank, meanwhile, remains 'hopeful' it can offload Brit chip designer

    Nvidia is quietly preparing to give up on the purchase of Arm, according to Bloomberg, after repeatedly butting heads with competition regulators amid a wave of opposition from the tech industry.

    A report by the newswire states Nvidia privately told its partners it does not expect the Arm transaction to close. The report also claims Arm's current owner SoftBank is pressing ahead with an IPO of Arm.

    The $40bn bid Nvidia lodged for Arm in September 2020 has proved controversial: Arm licences its chip designs to multiple clients and some felt that buying the company will give Nvidia the power to stifle competition.

    Continue reading

Biting the hand that feeds IT © 1998–2022