The code, which could sit comfortably in a single tweet, was unearthed by security researcher Andrew Ayer. In a blog post titled, “How to Crash Systemd in One Tweet”, the following command, when run as any user, will crash systemd:

NOTIFY_SOCKET=/run/systemd/notify systemd-notify “”

“After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system),” said Ayer.

“All of this can be caused by a command that’s short enough to fit in a Tweet,” Ayer continued.

According to the researcher, the bug has existed for over two years but is serious as it “allows any local user to trivially perform a denial-of-service attack against a critical system component”.

“The above systemd-notify command sends a zero-length message to the world-accessible UNIX domain socket located at /run/systemd/notify. PID 1 receives the message and fails an assertion that the message length is greater than zero,” he added.

He said that Systemd’s problems run far deeper than this one bug and the whole of system is “defective by design”.

He added that although almost every Linux distribution now uses systemd for their init system, init was a soft target for systemd because the systems they replaced were so bad.

David Timothy Strauss, CTO and co-founder of Pantheon said the vulnerability is a “minor security issue” via a blog post disparaging of Ayer.

“Not only is the current security issue among the lowest risk classes by being local-only and denial-of-service (versus information disclosure or privilege escalation), but most of Ayer’s claims are either wrong or misleading,” Strauss said.

In another blog post, Ayer hit back and said that Strauss “vastly overstates the value of these (systemd) features”.

“The best systemd can offer is whole application sandboxing. You can start a daemon as a non-root user, in a restricted filesystem namespace, with mandatory access control,” Ayer said.

This article originally appeared at scmagazineuk.com



Source link

NO COMMENTS

LEAVE A REPLY