Sign up for our newsletter
Technology / Cybersecurity

High Toxicity Linux Vulnerabilities Could Cause System Down for Red Hat, Debian

Major Linux distributions, from Red Hat to Debian, are vulnerable to three bugs in systemd, a Linux initialisation system and service manager in widespread use, California-based security company Qualys said late yesterday.

The systemd vulnerabilities comprise CVE-2018-16864 and CVE-2018-16865, two memory corruptions (attacker-controlled alloca()s) and CVE-2018-16866, an information leak (an out-of-bounds read), Qualys said.

These could be used by a malevolent party to crash systems and potentially steal data, the company said in a System of a Down-themed security advisory. (We anticipate a Lonely Day or two for IT admins…)

The finding is grist to the mill of systemd critics: one describes the system (in widespread use since 2015) as a “monumental increase in complexity, a slap in the face to the Unix philosophy, and its inherent domineering and viral nature turns it into something akin to a “second kernel” that is spreading all across the Linux ecosystem.

White papers from our partners

(Update 13:30 10/1/2019: Red Hat says it “is continuing to work on patches for delivery in the near term“)

Systemd Vulnerabilities: Quelle Surprise?

Researchers at the company said they have developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average.

systemd vulnerabilities
Don’t let this happen to your enterprise’s OS

The exploit for CVE-2018-16864 was “accidentally discovered” while working on the exploit for Mutagen Astronomy (CVE-2018-14634).

Qualys’ team said they found that “if we pass several megabytes of command-line arguments to a program that calls syslog(), then journald crashes.

“To the best of our knowledge, all systemd-based Linux distributions are vulnerable” they emphasised, (bar, well, SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29, as their user space is compiled with GCC’s-fstack-clash-protection).

Patches from those affected are understood to be pending.

The company said it had sent an advisory to Red Hat Product Security on November 26 last year; an advisory and patches to linux-distros[at]openwall on December 26 last year and published its release on January 9, 2019.

This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.