[sf-lug] Verifiably critical systemd vulnerability anyone?

aaronco36 aaronco36 at SDF.ORG
Tue Jul 20 15:34:54 PDT 2021 

FYI, am using a non-systemd-init Linux distro at the moment.

Quoting OpenCVE's earlier 'CVE-2021-33910' webpage at 
https://www.opencve.io/cve/CVE-2021-33910 :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
basic/unit-name.c in systemd 220 through 248 has a Memory Allocation with 
an Excessive Size Value (involving strdupa and alloca for a pathname 
controlled by a local attacker) that results in an operating system crash.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More extensively quoting Steven J. Vaughan-Nichols' more explanatory ZDNet 
article 'Nasty Linux systemd security bug revealed' at 
https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/ :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qualsys has found an ugly Linux systemd security hole that can enable any 
unprivileged user to crash a Linux system. The patch is available, and you 
should deploy it as soon as possible.

Systemd[1], the Linux system and service manager that has largely replaced 
init[2] as the master Linux startup and control program, has always had 
its critics. Now, with Qualys's[3] discovery of a new systemd security 
bug[4], systemd will have fewer friends. Successful exploitation of this 
newest vulnerability enables any unprivileged user to cause a denial of 
service via a kernel panic.

In a phrase, "that's bad, that's really bad."

As Bharat Jogi, Qualys's senior manager of Vulnerabilities and Signatures, 
wrote, "Given the breadth of the attack surface for this vulnerability, 
Qualys recommends users apply patches for this vulnerability immediately." 
You can say that again.

Systemd is used in almost all modern Linux distributions. This particular 
security hole arrived in the systemd code in April 2015.

It works by enabling attackers to misuse the alloca() function in a way 
that would result in memory corruption. This, in turn, allows a hacker to 
crash systemd and hence the entire operating system. Practically speaking, 
this can be done by a local attacker mounting a filesystem on a very long 
path[5]. This causes too much memory space to be used in the systemd 
stack, which results in a system crash.

That's the bad news. The good news is that Red Hat Product Security[6] and 
systemd's developers have immediately patched the hole.

There's no way to remedy this problem. While it's not present in all 
current Linux distros, you'll find it in most distros such as the Debian 
10 (Buster)[7] and its relatives like Ubuntu[8] and Mint[9]. Therefore, 
you must, if you value keeping your computers working, patch your version 
of systemd as soon as possible. You'll be glad you did.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Aaron


============================================
Numbered, Internally-linked References 
============================================
[1]https://www.freedesktop.org/wiki/Software/systemd/
[2]https://www.lifewire.com/how-to-use-the-init-command-in-linux-4066930
[3]https://www.qualys.com/
[4]https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1
[5]https://access.redhat.com/security/cve/cve-2021-33910
[6]https://access.redhat.com/security
[7]https://www.debian.org/releases/buster/
[8]https://ubuntu.com/
[9]https://linuxmint.com/
============================================

aaronco36 at sdf.org

More information about the sf-lug mailing list