The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit

Patches pending for distros to deal with threat of local privilege escalation to root


Security biz Qualys has revealed three vulnerabilities in a component of systemd, a system and service manager used in most major Linux distributions.

Patches for the three flaws – CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 – should appear in distro repos soon as a result of coordinated disclosure. However, Linux distributions such as Debian remain vulnerable at the moment, depending on the version you have installed.

"They're aware of the issues and they're releasing patches," said Jimmy Graham, director of product management at Qualys, in a phone interview with The Register. "I don't believe Red Hat has released one but it should be coming shortly."

The bugs were found in systemd-journald, a part of systemd that handles the collection and storage of log data. The first two CVEs refer to memory corruption flaws while the third involves an out of bounds error that can leak data.

CVE-2018-16864 can be exploited by malware running on a Linux box, or a malicious logged-in user, to crash and potentially hijack the systemd-journald system service, elevating access from user to root. CVE-2018-16865 and CVE-2018-16866 can be exploited together by a local attacker to crash or hijack the root-privileged journal service.

While systemd isn't universally beloved in the Linux community, Graham sees nothing unusual about the presence of the three flaws in the software. "The noteworthiness to me is that it is very commonly found in most major distributions," he said.

Qualys contends all systemd-based Linux distros are vulnerable, though the vulnerabilities cannot be exploited in SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 because their user-land code is compiled with GCC's -fstack-clash-protection option.

CVE-2018-16864, the company says, entered systemd's codebase in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). While working on an exploit for another Linux flaw, Qualys researchers found that if you pass several megabytes of command-line arguments to a program that calls syslog(), systemd-journald will crash.

That led them to look for another instance of an attacker-controlled alloca() function, which they found. CVE-2018-16865 appeared in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201), Qualys says.

Sad penguin photo via Shutterstock

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

READ MORE

The security biz calls it a simplified stack clash – where the size of the stack gets changed to overlap with other memory areas – because it only requires the last two steps in a four step process: Clashing the stack with another memory region, moving the stack-pointer to the stack start, jumping over the stack guard-page into another memory region, and smashing the stack or memory space.

The third bug, CVE-2018-16866, appeared in June 2015 (systemd v221) and, Qualys says, was fixed inadvertently in August 2018. In code where the flaw still exists, it could allow an attacker to read out of bounds information, resulting in information leakage.

"The risk [of these issues] is a local privilege escalation to root," said Graham. "It's something that should still be a concern because usually attackers don't just use one vulnerability to comprise a system. They often chain vulnerabilities together." ®


Other stories you might like

  • Leading Arch Linux derivative Manjaro puts out version 21.3
    A simpler, easier remix sounds like a good thing, but glitches like these shouldn't be in a point release

    Version 21.3 of Manjaro - codenamed "Ruah" - is here, with kernel 5.15, but don't let its beginner-friendly billing fool you: you will need a clue with this one.

    Manjaro Linux is one of the more popular Arch Linux derivatives, and the new version 21.3 is the latest update to version 21, released in 2021. There are three official variants, with GNOME 42.2, KDE 5.24.5 or Xfce 4.16 desktops, plus community builds with Budgie, Cinnamon, MATE, a choice of tiling window managers (i3 or Sway), plus a Docker image.

    The Reg took its latest look at Arch Linux a few months ago. Arch is one of the older rolling-release distros, and it's also famously rather minimal. The installation process isn't trivial: it's driven from the command line, and the user does a lot of the hard work, manually partitioning disks and so on.

    Continue reading
  • Travis CI exposes free-tier users' secrets – new claim
    API can be manipulated to reveal tokens in clear text log data

    Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

    Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

    In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading

Biting the hand that feeds IT © 1998–2022