New SystemD Vulnerability Discovered

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Re:First of many

It's worse than just doing DNS resolution.

It has a hardcoded fallback to Google's servers:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.

Devuan!

one more reason to run Devuan!

Re:Really, is anyone surprised?

[telek83]

Agreed, bind's configuration is obtuse and does need fixing, so rather then rewriting a completely different client with the same set of bugs that have already been fixed, why not fork bind, fix the configuration so it's something more sane and then if people like it, they will use it, or ISC will pull the forks changes back into the main fork of bind, if you look at the problems that need to be solved, most of the time there is no need to a complete rewrite, You can see this is true for most things out there, despite this, people almost always try to reinvent the wheel anyways.

Re:Slackware: not affected.

[ortholattice]

I used Debian for over a decade before systemd and loved it. I'm not qualified to judge the merits of systemd, but when it was brought into Debian many things I was used to were suddenly different, with knowledge I learned over the years no longer of value. I don't mind learning new things, but I don't like them foisted on me gratuitously for no reason, especially since I had a lot more important stuff going on at the time.

I switched my server to Devuan and am extremely happy with it. It was a breath of fresh air to see what I thought of as "Debian" back again. So far I've had zero problems, from installation to daily use, and I don't expect I will use Debian again.

Re:Oh Pottering.

[Gravis+Zero]

Yes, as you found out "0day" is not a valid username.

I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.

Oh it's more than just that, I checked the POSIX standard and this rule of his is entirely invented.

per the POSIX standard:

A string that is used to identify a user; see also User Database. To be portable across systems conforming to POSIX.1-2017, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.

so what's the portable filename character set?

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -

What's this mean? On POSIX your username can be "007", "4-8_" or "._-" if you want it to be.

Lennart is full of shit and cannot admit he didn't even consider the standard when designing systemd.