Major Linux distributions, from Red Hat to Debian, are vulnerable to three bugs in systemd, a Linux initialisation system and service manager in widespread use, California-based security company Qualys said late yesterday.
The systemd vulnerabilities comprise CVE-2018-16864 and CVE-2018-16865, two memory corruptions (attacker-controlled alloca()s) and CVE-2018-16866, an information leak (an out-of-bounds read), Qualys said.
These could be used by a malevolent party to crash systems and potentially steal data, the company said in a System of a Down-themed security advisory. (We anticipate a Lonely Day or two for IT admins…)
The finding is grist to the mill of systemd critics: one describes the system (in widespread use since 2015) as a “monumental increase in complexity, a slap in the face to the Unix philosophy, and its inherent domineering and viral nature turns it into something akin to a “second kernel” that is spreading all across the Linux ecosystem.
(Update 13:30 10/1/2019: Red Hat says it “is continuing to work on patches for delivery in the near term“)
Systemd Vulnerabilities: Quelle Surprise?
Researchers at the company said they have developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average.
The exploit for CVE-2018-16864 was “accidentally discovered” while working on the exploit for Mutagen Astronomy (CVE-2018-14634).
Qualys’ team said they found that “if we pass several megabytes of command-line arguments to a program that calls syslog(), then journald crashes.
“To the best of our knowledge, all systemd-based Linux distributions are vulnerable” they emphasised, (bar, well, SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29, as their user space is compiled with GCC’s-fstack-clash-protection).
Patches from those affected are understood to be pending.
The company said it had sent an advisory to Red Hat Product Security on November 26 last year; an advisory and patches to linux-distros[at]openwall on December 26 last year and published its release on January 9, 2019.