[sf-lug] The sky is [not] falling ... again (Re: Verifiably critical systemd vulnerability anyone?) ... CVE-2021-33910

yru looking maestro415 at gmail.com
Wed Jul 21 14:23:16 PDT 2021

thank you Michael Paoli...

'm......' >>>

message ends.

On Wed, Jul 21, 2021 at 10:15 AM Todd Hawley <celticdm at gmail.com> wrote:

> On Tue, Jul 20, 2021 at 7:22 PM Michael Paoli <
> Michael.Paoli at cal.berkeley.edu> wrote:
> The more-or-less usual, and not a huge deal.
>> Sure, not pretty, but ...
>> Thus far appears it's "only" a DoS vulnerability, and
>> requires local user to be able to run relatively arbitrary commands - or
>> at least certain commands and using relatively arbitrarily long strings.
>> And yes, it can - via our not-so-old frenemy systemd, crash the system
>> by critically running the host out of memory.
>> And yes, Qualsys found it and responsibly disclosed it.
>> But their main article on it:
>> https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1
>> surprise surprise ... not ... spends about 2/3 of it pushing ...
>> of course Qualsys product(s) because, hey, they're a security products
>> vendor.  So, "of course" if they can whip folks into a frenzied panic,
>> and maybe also get 'em to buy more Qualsys security products ... uhm,
>> do we see a problem here?  And unfortunately too many
>> "journalists"/reporters
>> buy the hype and run with stuff like "that's bad, that's really bad.",
>> e.g.:
>> https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/
>> Sure, not pretty, kind'a embarrassing for systemd ... if systemd cares
>> enough to be embarrassed.  But it's not *that* bad.  If one takes it in
>> the context of all the damage a maliciously intended local user on a
>> Linux host can cause ... yeah, crashing the host isn't that big a deal and
>> probably fairly easy to do on most hosts that aren't fairly well hardened
>> to thwart such relatively child's play level attacks from a local user
>> that can run relatively arbitrary unprivileged commands.
> I had to wonder when reading the original post, that how much of this was
> a real "serious
> problem" and how much of this was a vendor trying to hype their products.
> I see
> posts like this periodically on the list and while I appreciate hearing
> about vulns, it seems like
> generally these "news articles" are more about a vendor trying to hype
> their products than
> anything else. It's too bad the reporters don't see through the hype.
> Thanks Michael for
> setting us straight.
> -th
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/


*~the quieter you become, the more you are able to hear...*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20210721/7bb91f19/attachment.html>

More information about the sf-lug mailing list