Software

OSes

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

Hole opens up remote-code execution to miscreants – or a crash, if you're lucky


A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.

The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.

The vulnerability – which was made public this week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built into various flavors of Linux.

This client is activated automatically if IPv6 support is enabled, and relevant packets arrive for processing. Thus, a rogue DHCPv6 server on a network, or in an ISP, could emit specially crafted router advertisement messages that wake up these clients, exploit the bug, and possibly hijack or crash vulnerable Systemd-powered Linux machines.

Here's the Red Hat Linux summary:

systemd-networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.

Felix Wilhelm, of the Google Security team, was credited with discovering the flaw, designated CVE-2018-15688. Wilhelm found that a specially crafted DHCPv6 network packet could trigger "a very powerful and largely controlled out-of-bounds heap write," which could be used by a remote hacker to inject and execute code.

"The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long," Wilhelm noted.

In addition to Ubuntu and Red Hat Enterprise Linux, Systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Lennart Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.

If you run a Systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

The bug will come as another argument against Systemd as the Linux management tool continues to fight for the hearts and minds of admins and developers alike. Though a number of major admins have in recent years adopted and championed it as the replacement for the old Init era, others within the Linux world seem to still be less than impressed with Systemd and Poettering's occasionally controversial management of the tool. ®

Send us news
128 Comments

With Asmi 24.04, Ubuntu's never looked so snappy (without the Snaps)

Distro formerly known as Zinc cuts the fat, rather than just replacing it

Experimental remix finally brings the former Unity 8 back to Ubuntu

Ubuntu Unity 24.04 arrives along with new little sibling, Ubuntu Lomiri

Qualcomm warms bed for Linux on Arm PCs

One eye on Windows, the other winking at penguins

Red Hat middleware takes a back seat in strategic shuffle

Less middleware plus more AI equals … fewer people?

RHEL stays fresh with 9.4 while CentOS 7 gets a Rocky retirement plan

Meanwhile, Alma Linux gets into supercomputers

MX Linux updates Libretto, belts out 23.3, based on Debian 12.5

Includes a Raspberry Pi version, which works well on the Pi 5

IBM sued again for alleged discrimination – this time against White males

Top Trump lieutenant Stephen Miller hopes to skewer Big Blue's Linux slinger on behalf of ex-director

Fedora Asahi Remix 40 served on Apple Silicon

First big update of the go-to Linux for newer Macs

Linux 6.9 arrives, plus Torvalds indicates Arm64 will get a bit more love

And the windows are opened to 6.10 in September or so

First 9front release of the year is called DO NOT INSTALL

Possibly its most helpful codename yet

Lightweight Dillo browser springs back to life, still doesn't care about JavaScript

First new version in almost a decade now boasts TLS

Xubuntu 24.04: A minimal install that does what it says on the tin

This nearly Snap-free Ubuntu remix may be about about to win friends and influence people