New SystemD Vulnerability Discovered

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Really, is anyone surprised?

[telek83]

This is what happens when you reinvent everything you possible can, just 'cuz' but to put the icing on the cake, you run everything as root when you do it...

Re:Really, is anyone surprised?

That's the thing, isn't it? The millionth windows vulnerability and still saying "well any code has bugs". Sure it does. But the rebuttal is essentially saying that all code is created equal. That's just not true. Some code is very much more equal than others.

This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth. Next to his track record, there are multiple reasons why his code has more and more pernicious bugs than other code. One of the reasons is as GP says: The code tries to do too much and fails to make use of built-in fall-out protection, deliberately. That's just stupid. The guy has been told, and he still thinks it's a good idea. He really believes his shit does not stink. Ergo, the guy is stupid, as well as an asshole.

If I get a choice at all, it is clear: I do not want any of his code running on my systems if I can at all help it.

Re:Really, is anyone surprised?

[telek83]

While no one writes perfect code, when rewriting code for no good reason either then wanting to, the code itself should have at least be as good as the previous implementation, and as it stands dhclient6 and isc-dhcp-server do not have this problem.

I don't have a problem with SystemD, I have a problem with anyone who tries to modernize some software but doesn't take into account of why things were written the way they were in the fist place... it's like the DNS resolve bugs... had the developers even bothered to look into bind's history, they would have never made the same mistakes... why take 1 step forward and all the steps back, just to rewrite software that has worked in the first place? This goes for any project, not just SystemD, not just Wayland or any of the "next-generation"projects... all reincarnations of software should take into the account of the previous implementations bugs, doing anything else is completely irresponsible and childish on the developers part, it sends a massage of "I can write better code then you" while in reality making all the mistakes the previous implementation made and more.

This whole "I am better then thou" s**t should end, it only makes people look like idiots

Re:Really, is anyone surprised?

[alvinrod]

This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth.

All of that's a valid reason for not liking SystemD, and touches on my own dislike for it as well. However, the fact that it had a vulnerability in it isn't a good reason to dislike it for the sake of that reason alone, unless you're willing to dislike any other software that has had a vulnerability equally much. Don't conflate dislike of a thing for valid reasons with reasons that you wouldn't use or apply in other cases.

To put it another way, if you found out that a person you already disliked once ran over someone's dog, you might use that act itself to condemn them as a terrible person. However, it's unlikely that if your friend ran over someone's dog that you'd think using that act to condemn them as a terrible person would be justified. If you want to think less of a person for running over a dog, do it in equal amounts irrespective of how you felt about that person prior to them running over someone's dog.

That's the thing, isn't it? The millionth windows vulnerability and still saying "well any code has bugs". Sure it does. But the rebuttal is essentially saying that all code is created equal.

It obviously isn't, and I don't think anyone would honestly argue that all code (or designs, or programmers, etc.) is equal with a straight face. No one's forcing anyone to use crap code, especially in the open source community. If this were Windows, you'd just be stuck with it like all of the other crap that Microsoft has shoved off on people over the years.

Re:Really, is anyone surprised?

[gweihir]

The code tries to do too much and fails to make use of built-in fall-out protection, deliberately. That's just stupid. The guy has been told, and he still thinks it's a good idea. He really believes his shit does not stink. Ergo, the guy is stupid, as well as an asshole.

All classical beginner's mistakes. This guy is not a beginner, but still makes bad beginner's mistakes. Because of his unlimited arrogance, he does not learn. Classical Dunning-Kruger sufferer. Now how anybody ever thought using code from this person was a good idea is beyond me.

We can also expect this stuff to go bad exceptionally fast when Poettering loses interest, as the code is too complex and to badly documented to be maintainable.

If I get a choice at all, it is clear: I do not want any of his code running on my systems if I can at all help it.

Depending on the defaults, I either rip this crap out after installation or do not install it in the first place. My employer does the same as a matter of policy. Has not caused any problems so far and probably prevented a ton of them. Usually the problems with systemd start right after installation for me, as I do have a network-setup that is not quite standard. The only other system that has these problems is Windows, and it has it to a lesser degree these days.

First of many

[ArchieBunker]

This is the tip of the iceburg as more spaghetti code will be found. Tell me again why a startup manager also does DNS resolution?

Re:First of many

[gweihir]

Fascinating. Hardcoded defaults like that are a catastrophe in the making and are only done by complete and utter amateurs with no experience.

Slackware: not affected.

[sombragris]

Slackware does not use systemd and therefore is not affected by this vulnerability.

At least in this case, the KISS philosophy paid well.