Three security bugs found in the popular Linux suite systemd

Pierluigi Paganini January 10, 2019

Experts disclosed three flaws in the systemd, a software suite that provides fundamental building blocks for Linux operating systems.

Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd, a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.

The flaws reside in the systemdjournald, a service of the systemd that collects and stores logging data.

Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak.

Security patches for the three vulnerabilities are included in distro repository since the coordinated disclosure, but some Linux distros such as some versions of Debian remain vulnerable. The flaws cannot be exploited in SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 because their code is compiled with GCC’s -fstack-clash-protection option.

“CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.” reads the security advisory.

Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls syslog(), they were able to crash the systemdjournald.

“CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.” continues the advisory.

The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. They plan to publish the exploit code in the near future.

systemd

In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by a malicious code or an ill-intentioned logged-in user, to crash and hijack the systemdjournald system service, and elevated access previleges. The chaining of the CVE-2018-16865 and CVE-2018-16866 could allow a local attacker to crash or hijack the root-privileged journal service.

The CVE-2018-16865 was found by the experts because surprised by the heavy usage of alloca() in journald, then they focused their work on searching for another attacker-controlled alloca() and found the bug.

The CVE-2018-16866 flaw appeared in June 2015 (v221) and was fixed inadvertently in August 2018.

“We discovered an out-of-bounds read in journald (CVE-2018-16866), and transformed it into an information leak” wrote the experts.

The security firm acknowledged systemd’s developers, Red Hat Product Security, and the members of linux-distros@…nwall.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Linux, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment