[sf-lug] The sky is [not] falling ... again (Re: Verifiably critical systemd vulnerability anyone?) ... CVE-2021-33910
maestro415 at gmail.com
Wed Jul 21 14:23:16 PDT 2021
thank you Michael Paoli...
On Wed, Jul 21, 2021 at 10:15 AM Todd Hawley <celticdm at gmail.com> wrote:
> On Tue, Jul 20, 2021 at 7:22 PM Michael Paoli <
> Michael.Paoli at cal.berkeley.edu> wrote:
> The more-or-less usual, and not a huge deal.
>> Sure, not pretty, but ...
>> Thus far appears it's "only" a DoS vulnerability, and
>> requires local user to be able to run relatively arbitrary commands - or
>> at least certain commands and using relatively arbitrarily long strings.
>> And yes, it can - via our not-so-old frenemy systemd, crash the system
>> by critically running the host out of memory.
>> And yes, Qualsys found it and responsibly disclosed it.
>> But their main article on it:
>> surprise surprise ... not ... spends about 2/3 of it pushing ...
>> of course Qualsys product(s) because, hey, they're a security products
>> vendor. So, "of course" if they can whip folks into a frenzied panic,
>> and maybe also get 'em to buy more Qualsys security products ... uhm,
>> do we see a problem here? And unfortunately too many
>> buy the hype and run with stuff like "that's bad, that's really bad.",
>> Sure, not pretty, kind'a embarrassing for systemd ... if systemd cares
>> enough to be embarrassed. But it's not *that* bad. If one takes it in
>> the context of all the damage a maliciously intended local user on a
>> Linux host can cause ... yeah, crashing the host isn't that big a deal and
>> probably fairly easy to do on most hosts that aren't fairly well hardened
>> to thwart such relatively child's play level attacks from a local user
>> that can run relatively arbitrary unprivileged commands.
> I had to wonder when reading the original post, that how much of this was
> a real "serious
> problem" and how much of this was a vendor trying to hype their products.
> I see
> posts like this periodically on the list and while I appreciate hearing
> about vulns, it seems like
> generally these "news articles" are more about a vendor trying to hype
> their products than
> anything else. It's too bad the reporters don't see through the hype.
> Thanks Michael for
> setting us straight.
> sf-lug mailing list
> sf-lug at linuxmafia.com
> SF-LUG is at http://www.sf-lug.org/
*~the quieter you become, the more you are able to hear...*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the sf-lug