New Linux Systemd security holes uncovered
Many Linux sysadmins and users dislike Systemd, but love it or hate it, the Systemd is the default system and service manager for most Linux distributions. So, security company Qualys‘s recent revelation of three new Systemd security vulnerabilities isn’t going to win Systemd any friends.
How bad is this trio of trouble? With any of these a local user can gain root privileges. Worse still, Qualys reports that “To the best of our knowledge, all systemd-based Linux distributions are vulnerable.”
Actually, that’s not quite true, even Qualys admits. “SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC’s -fstack-clash-protection.“
This protects these Linux distros because it prevents a stack clash from happening. A stack clash is a variation of the commonplace stack overflow bug. In it, the stack memory is forced to allocate memory to deal with a data overflow. Then, it overlaps with other memory areas. Once there, the data smashes the stack or memory space enabling an attack.
Specifically in these cases CVE-2018-16864 and CVE-2018-16865, two memory corruptions, and CVE-2018-16866, an out-of-bounds memory read, lets multiple megabytes of command-line arguments be passed to the Linux system logger, (syslog). This causes systemd-journald to crash and enables a hostile local user to take over a system.
Qualys claims to have already “developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on Amd64.”
The company won’t be releasing these exploits anytime soon. In the meantime, Red Hat has already released patches for 16864 and 16865, the most serious of the security holes. Since Red Hat is Systemd’s parent company, it’s expected most Linux distributions will quickly integrate and release these fixes.