Hacking

Systemd flaw could cause the crash or hijack of vulnerable Linux machines

Systemd is affected by a security vulnerability that can be exploited to crash a vulnerable Linux machine, and in the worst case to execute malicious code.

An attacker can trigger the vulnerability using maliciously crafted DHCPv6 packets and modifying portions of memory of the vulnerable systems, potentially causing remote code execution.

The flaw, tracked as CVE-2018-15688, was reported by Felix Wilhelm, from the Google Security team, Wilhelm explained that the overflow can be triggered by an attacker in an easy way by advertising a DHCPv6 server with a server-id >= 493 characters long.

“The function dhcp6_option_append_ia function is used to encode Identity Associations received by the server into the options buffer of an outgoing DHCPv6 packetwrote Wilhelm.

“The function receives a pointer to the option buffer buf, it’s remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound and *buflen can underflow in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E). The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long.”

The flaw resides in the DHCPv6 client of the open-source Systemd management suite that is implemented into several Linux distros (Ubuntu, Red Hat, Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server).

If the IPv6 support is enabled, the DHCPv6 client of the open-source Systemd management suite is automatically activated to process arriving packers.

Experts pointed out that the DHCPv6 clients could be wake up by specially crafted router advertisement messages sent by a rogue DHCPv6 server on a network, or in an ISP. In both scenarios, the attackers can enable the DHCPv6 clients and trigger the vulnerability to crash or hijack the Systemd-powered Linux machines.

Both Ubuntu and Red Hat Linux published a security advisory on the issue. summary:

systemdnetworkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.” reads the advisory published by Red Hat.

“Felix Wilhelm discovered that systemd-networkd’s dhcp6 client could be made to write beyond the bounds (buffer overflow) of a heap allocated buffer when responding to a dhcp6 server with an overly-long server-id parameter.” reads the advisory published by Ubuntu.

The author of Systemd, Leonard Poettering, promptly published a security fix for Systemd-based Linux system relying on systemd-networkd.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Systemd, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

3 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

5 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

5 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

16 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

19 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

1 day ago