Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source Debian Linux

New SystemD Vulnerability Discovered (theregister.co.uk) 204

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

This discussion has been archived. No new comments can be posted.

New SystemD Vulnerability Discovered

Comments Filter:
  • by telek83 ( 1350439 ) on Saturday October 27, 2018 @03:37PM (#57546139)
    This is what happens when you reinvent everything you possible can, just 'cuz' but to put the icing on the cake, you run everything as root when you do it...
    • by Type44Q ( 1233630 ) on Saturday October 27, 2018 @04:21PM (#57546287)
      No, don't you see??

      New SystemD Vulnerability Discovered...

      The vulnerability they discovered... was SystemD. It's recursive or a paradox or something. Either way, very fascinating...

      • SystemD was a bad idea from the start.

        The majority opposition to it should have been a clue.

        Nothing at all surprising about this.
    • by Anonymous Coward

      They don't run the modules on privilege-separated processes with minimal privileges?!

      • SIOCSIFADDR SIOCSIFFLAGS SIOCSIFFLAGS and Opening a socket for LPF requires root... unless you do this "sudo setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW=+ep" which no one does, because every upgrade they would have to reset the cap

        So yes the client and the server have to run as root, you would think because they are reinventing the wheel here, they would fix this so it can be run be a user with minimal privileges, so even if a bug like this does happen, they are still limited to what they can do.

    • I am surprised!

      That this is not a weekly occurance. (Well, weekly Public occurance...)
    • This is what happens when you reinvent everything you possible can, just 'cuz' but to put the icing on the cake, you run everything as root when you do it...

      Just imagine what they'd say if it had 12 intentional exploits added! Planet Neckbeard would assplode, probably wipe out the entire Klingon-speaking population of this galaxy.

    • This is what happens when you reinvent everything you possible can

      New software has bugs? ZOMG someone stop the presses, we need to tell EVERYONE.

      just 'cuz'

      just 'cuz' the old init system didn't meet the requirements set out by a modern OS and there have been no less than 15 other projects attempting to replace it already. But hey, one of them gained traction, so let's pick on that one.

  • First of many (Score:5, Insightful)

    by ArchieBunker ( 132337 ) on Saturday October 27, 2018 @03:41PM (#57546151)

    This is the tip of the iceburg as more spaghetti code will be found. Tell me again why a startup manager also does DNS resolution?

    • I imagine, in Poettering’s long-term plan, systemd is eventually going to include its own X server and its own graphical desktop manager.

      Wish I was joking.

    • Re:First of many (Score:5, Informative)

      by Anonymous Coward on Saturday October 27, 2018 @04:24PM (#57546303)

      It's worse than just doing DNS resolution.

      It has a hardcoded fallback to Google's servers:

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

      In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.

      • It's worse than just doing DNS resolution.

        It has a hardcoded fallback to Google's servers:

        https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

        In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.

        It is mind blowing to read that to begin with but what was worse is reading the refusal to acknowledge the privacy issue and fix it.

      • Re:First of many (Score:5, Insightful)

        by gweihir ( 88907 ) on Saturday October 27, 2018 @10:47PM (#57547583)

        Fascinating. Hardcoded defaults like that are a catastrophe in the making and are only done by complete and utter amateurs with no experience.

        • are only done by complete and utter amateurs with no experience.

          Idiots, maybe. Reckless people, definitely. But calling the person whose code has for many years now underpinned core functionality of multiple distributions "amateur with no experience" is a self defeating insult.

          • by gweihir ( 88907 )

            The thing about Poettering is apparently that he has not acquired any experience in all these years and still only qualifies as an amateur. It is pretty surprising how somebody can be that resistant to learning. So, no, not "self defeating", just accurate in describing his capabilities, if not his history.

            • The thing about Poettering is apparently that he has not acquired any experience in all these years and still only qualifies as an amateur.

              On account of the fact that he is both paid for his work and continues to do it your insult remains self-defeating. Common pick something more appropriate.

    • by gweihir ( 88907 )

      Because the designer is a smart moron that does not learn and never grasped why KISS is so essential to all good engineering. An amateur at work.

    • This is the tip of the iceburg as more spaghetti code will be found. Tell me again why a startup manager also does DNS resolution?

      I've been in software QA since '93 and a *nix user just as long... here's where there is real danger in systemd. Because the more complex, intertwined, and less elegant the codebase, the more likely fixing bugs will introduce or uncover more. People have always ignored this aspect of the *nix philosophy, or rather maybe just inherently understood it. I don't know how many times over the years I have seen a bugfix cause havoc in a monolithic spaghetti codebase. Then of course, you try to quickly fix thos

  • by sombragris ( 246383 ) on Saturday October 27, 2018 @03:42PM (#57546161) Homepage

    Slackware does not use systemd and therefore is not affected by this vulnerability.

    At least in this case, the KISS philosophy paid well.

    • by Anonymous Coward on Saturday October 27, 2018 @03:51PM (#57546187)

      It's a relief to hear that all four of you are safe.

    • by ortholattice ( 175065 ) on Saturday October 27, 2018 @06:20PM (#57546737)

      I used Debian for over a decade before systemd and loved it. I'm not qualified to judge the merits of systemd, but when it was brought into Debian many things I was used to were suddenly different, with knowledge I learned over the years no longer of value. I don't mind learning new things, but I don't like them foisted on me gratuitously for no reason, especially since I had a lot more important stuff going on at the time.

      I switched my server to Devuan and am extremely happy with it. It was a breath of fresh air to see what I thought of as "Debian" back again. So far I've had zero problems, from installation to daily use, and I don't expect I will use Debian again.

      • by gweihir ( 88907 )

        I am currently still with Debian and just rip out the cancer. When that stops working, I will move to Devuan.

      • As someone whose servers updated to Debian-with-systemd: is it possible to migrate to a systemd-free Debian (Devuan or some other) without re-installing, in a safe way?
    • Gen too.
    • The BSD's are avoiding this nightmare also.
    • Nor does opensuse use this particular module as its very very optional
    • Slackware does not use systemd and therefore is not affected by this vulnerability.

      Ubuntu uses systemd and like all other reasonable distributions patched the bug straight away and is therefore not affected by this vulnerability.

  • by Billly Gates ( 198444 ) on Saturday October 27, 2018 @03:49PM (#57546175) Journal

    Goes back to working on some FreeBSD vms.

    • Goes back to working on some FreeBSD vms.

      I'll just leave this here https://www.cvedetails.com/vul... [cvedetails.com]

      • by syzler ( 748241 )

        *Laughs* Goes back to working on some 300+ Slackware VMs.

        BTW, the site only lists 2 vulnerabilities for CentOS since 2012, so I don't think it uses as complete a dataset as you think. As an example there has been at least 10 high severity OpenSSL vulnerabilities which affected CentOS since 2012 and neither of the 2 CentOS vulnerabilities listed on site you provided are for OpenSSL packages.

        • *Laughs* Goes back to working on some 300+ Slackware VMs.

          BTW, the site only lists 2 vulnerabilities for CentOS since 2012, so I don't think it uses as complete a dataset as you think. As an example there has been at least 10 high severity OpenSSL vulnerabilities which affected CentOS since 2012 and neither of the 2 CentOS vulnerabilities listed on site you provided are for OpenSSL packages.

          Whoosh. Your "Ermagherd. I use FreeBSD so I am superior and safe" is just the opposite side of the coin of the Windows fanbois who strut around like cock-a-whoops when some other OS has any vulnerability at all, as if a few is somehow the equivalent of the hella batch of Windows problems.

          So anyhow, if you want to believe that you are immune from the problems that us Proles have, by all means, crack open a cold one, and toast your wisdom in picking the system that is safe. Laugh away.

      • None of the vulnerabilities listed which are against currently supported versions of FreeBSD allow the attacker to gain access level, unlike this SystemD bug.
        • None of the vulnerabilities listed which are against currently supported versions of FreeBSD allow the attacker to gain access level, unlike this SystemD bug.

          Well then FreeBSD is impervious to attack, and will never suffer. I don't care what the dates are, Im tryingf to impress you with the fact that laughing at other vulnerabilities is the old pride goeth before a fall. But don't let me stop you. Most of the FreeBSD users I've met have a nasty whiff of superiority. Doesn't really smell all that good.

          Seriously, are you FreeBSD users so arrogant that you refuse to believe your vaunted OS can be compromised? And if yo udon't understand or get that, well good on

  • Devuan! (Score:2, Informative)

    by Anonymous Coward

    one more reason to run Devuan!

  • Oh Pottering. (Score:5, Interesting)

    by 0100010001010011 ( 652467 ) on Saturday October 27, 2018 @04:34PM (#57546347)

    I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?

    tmpfiles: R! /dir/.* destroys root [github.com]

    Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.

    So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but still: the username is clearly not valid.

    systemd can't handle the process previlege that belongs to user name startswith number, such as 0day [github.com]

    I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.

    How did anyone that lacked that much understanding about UNIX get in charge of the init system?

    • by cats-paw ( 34890 )

      how is it that many of the major Linux distributions picked up systemd?

      Not only was it a terrible idea, but people who should know better put it into their systems knowing it was a terrible idea.

      • This is actually the question that's asking for an answer.

        People develop shabby software for Linux all the time. That happens daily, multiple times. For every good project there's at least 100 crappy ones. So it should be no surprise that there is of course also a crappy init process.

        The actual question is why it became the go-to init process for all major distributions.

    • Re:Oh Pottering. (Score:5, Informative)

      by Gravis Zero ( 934156 ) on Saturday October 27, 2018 @07:45PM (#57547005)

      Yes, as you found out "0day" is not a valid username.

      I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.

      Oh it's more than just that, I checked the POSIX standard and this rule of his is entirely invented.

      per the POSIX standard: [opengroup.org]

      A string that is used to identify a user; see also User Database. To be portable across systems conforming to POSIX.1-2017, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.

      so what's the portable filename character set? [opengroup.org]

      A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
      a b c d e f g h i j k l m n o p q r s t u v w x y z
      0 1 2 3 4 5 6 7 8 9 . _ -

      What's this mean? On POSIX your username can be "007", "4-8_" or "._-" if you want it to be.

      Lennart is full of shit and cannot admit he didn't even consider the standard when designing systemd.

  • when you pry it out of my cold dead hands.

    So glad I ditched SystemD distros for my servers....

  • Emacs was said to be a perfectly good OS with built-in text editor.

    When handling modular software, one module should do one thing and do it well, but the framework is responsible for ensuring deadlocks, crashes and security defects are confined to the module suffering them. Do that and it doesn't matter how buggy a component is, there's no contagion.

  • I was turned off by systemD and the direction Linux distros taking by adopting it as it seems a departure from the Unix philosophy. I was also turned off by the restrictive communication/behaviour rules forced upon the FreeBSD community. So I decided to give OpenBSD a shot and was pleasantly surprised. You can perform a lot of server functions with just the base system, working with it is intuitive, and it's surprisingly up-to-date.
    • by Anonymous Coward

      One of the less appreciated aspects of OpenBSD is the quality of its documentation. They spend an enormous amount of effort to make the manual pages a complete, definitive, and readable reference for the system.

      Countless times I've solved a problem or performed a new task in OpenBSD only by consulting manpages, where in other systems I would be searching stackoverflow, reading an out of date random howto, or checking some shitty web forum. Until you've experienced it you don't know how much time that saves.

    • Let me tell you about our Good Lord Gentoo. In his infinite wisdom, he combined the best of BSD with the hardware compatibility of the Linux kernel and the exquisite kindness of the GNU userland. The private keys to his kingdom are just an emerge away, or about seven days of compiling. (If you're going to say something clever about it, please redirect your laughs at the BSD crowd, because that's where we got the idea.)
  • by Anonymous Coward

    Won't fix. Just like all other systemd bugs.

    • by sgage ( 109086 )

      Won't use. I do not want to have anything to do with systemd, or Lennart Poettering, if I can help it. I am very happy with Devuan.

  • It's not re-inventing that they keep doing.

    It's laziness.

    "Why do I have to READ someone ELSE's manual and learn some large API I can't easily understand... when I could do something FUN like parse XML's using regular expressions!"

    • by gweihir ( 88907 )

      The hallmark of utter amateurs. All great engineers stand on the shoulders of giants. These here crawl in the mud while congratulating themselves how great they are.

    • If you think that you've solved a problem using regex, I'm here to inform you that you now have two problems.
  • Comment removed based on user account deletion
  • by what about ( 730877 ) on Sunday October 28, 2018 @01:45AM (#57548021) Homepage

    It has been done to avoid all of this.

    Support and donate, otherwise the systemd cancer will kill Linux

    This was the plan all along

  • I was reading through the discussion on the Debian bug site [debian.org] and Martin has some crazy ideas. He thinks that eventually the default mail router should be gmail and that /etc/resolv.conf will be removed.

An adequate bootstrap is a contradiction in terms.

Working...