<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 20, 2021 at 7:22 PM Michael Paoli <<a href="mailto:Michael.Paoli@cal.berkeley.edu">Michael.Paoli@cal.berkeley.edu</a>> wrote:</div><div dir="ltr" class="gmail_attr"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>The more-or-less usual, and not a huge deal.<br>
Sure, not pretty, but ...<br>
Thus far appears it's "only" a DoS vulnerability, and<br>
requires local user to be able to run relatively arbitrary commands - or<br>
at least certain commands and using relatively arbitrarily long strings.<br>
And yes, it can - via our not-so-old frenemy systemd, crash the system<br>
by critically running the host out of memory.<br>
<br>
And yes, Qualsys found it and responsibly disclosed it.<br>
But their main article on it:<br>
<a href="https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1" rel="noreferrer" target="_blank">https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1</a><br>
surprise surprise ... not ... spends about 2/3 of it pushing ...<br>
of course Qualsys product(s) because, hey, they're a security products<br>
vendor. So, "of course" if they can whip folks into a frenzied panic,<br>
and maybe also get 'em to buy more Qualsys security products ... uhm,<br>
do we see a problem here? And unfortunately too many "journalists"/reporters<br>
buy the hype and run with stuff like "that's bad, that's really bad.", e.g.:<br>
<a href="https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/" rel="noreferrer" target="_blank">https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/</a><br>
Sure, not pretty, kind'a embarrassing for systemd ... if systemd cares<br>
enough to be embarrassed. But it's not *that* bad. If one takes it in<br>
the context of all the damage a maliciously intended local user on a<br>
Linux host can cause ... yeah, crashing the host isn't that big a deal and<br>
probably fairly easy to do on most hosts that aren't fairly well hardened<br>
to thwart such relatively child's play level attacks from a local user<br>
that can run relatively arbitrary unprivileged commands.<br>
</div></blockquote><div> </div><div><div>I had to wonder when reading the original post, that how much of this was a real "serious<br></div><div>problem" and how much of this was a vendor trying to hype their products. I see</div><div>posts like this periodically on the list and while I appreciate hearing about vulns, it seems like</div><div>generally these "news articles" are more about a vendor trying to hype their products than</div><div>anything else. It's too bad the reporters don't see through the hype. Thanks Michael for</div><div>setting us straight.</div><div><br></div><div>-th<br></div>
</div></div></div>