New SystemD Vulnerability Discovered

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Really, is anyone surprised?

[telek83]

This is what happens when you reinvent everything you possible can, just 'cuz' but to put the icing on the cake, you run everything as root when you do it...

Re:Really, is anyone surprised?

That's the thing, isn't it? The millionth windows vulnerability and still saying "well any code has bugs". Sure it does. But the rebuttal is essentially saying that all code is created equal. That's just not true. Some code is very much more equal than others.

This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth. Next to his track record, there are multiple reasons why his code has more and more pernicious bugs than other code. One of the reasons is as GP says: The code tries to do too much and fails to make use of built-in fall-out protection, deliberately. That's just stupid. The guy has been told, and he still thinks it's a good idea. He really believes his shit does not stink. Ergo, the guy is stupid, as well as an asshole.

If I get a choice at all, it is clear: I do not want any of his code running on my systems if I can at all help it.

Re:Really, is anyone surprised?

[telek83]

While no one writes perfect code, when rewriting code for no good reason either then wanting to, the code itself should have at least be as good as the previous implementation, and as it stands dhclient6 and isc-dhcp-server do not have this problem.

I don't have a problem with SystemD, I have a problem with anyone who tries to modernize some software but doesn't take into account of why things were written the way they were in the fist place... it's like the DNS resolve bugs... had the developers even bothered to look into bind's history, they would have never made the same mistakes... why take 1 step forward and all the steps back, just to rewrite software that has worked in the first place? This goes for any project, not just SystemD, not just Wayland or any of the "next-generation"projects... all reincarnations of software should take into the account of the previous implementations bugs, doing anything else is completely irresponsible and childish on the developers part, it sends a massage of "I can write better code then you" while in reality making all the mistakes the previous implementation made and more.

This whole "I am better then thou" s**t should end, it only makes people look like idiots

Re: Really, is anyone surprised?

[Type44Q]

No, don't you see??

New SystemD Vulnerability Discovered...

The vulnerability they discovered... was SystemD. It's recursive or a paradox or something. Either way, very fascinating...

Re:Really, is anyone surprised?

[telek83]

Agreed, bind's configuration is obtuse and does need fixing, so rather then rewriting a completely different client with the same set of bugs that have already been fixed, why not fork bind, fix the configuration so it's something more sane and then if people like it, they will use it, or ISC will pull the forks changes back into the main fork of bind, if you look at the problems that need to be solved, most of the time there is no need to a complete rewrite, You can see this is true for most things out there, despite this, people almost always try to reinvent the wheel anyways.

Re:Really, is anyone surprised?

[telek83]

SIOCSIFADDR SIOCSIFFLAGS SIOCSIFFLAGS and Opening a socket for LPF requires root... unless you do this "sudo setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW=+ep" which no one does, because every upgrade they would have to reset the cap

So yes the client and the server have to run as root, you would think because they are reinventing the wheel here, they would fix this so it can be run be a user with minimal privileges, so even if a bug like this does happen, they are still limited to what they can do.

Re:Really, is anyone surprised?

[alvinrod]

This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth.

All of that's a valid reason for not liking SystemD, and touches on my own dislike for it as well. However, the fact that it had a vulnerability in it isn't a good reason to dislike it for the sake of that reason alone, unless you're willing to dislike any other software that has had a vulnerability equally much. Don't conflate dislike of a thing for valid reasons with reasons that you wouldn't use or apply in other cases.

To put it another way, if you found out that a person you already disliked once ran over someone's dog, you might use that act itself to condemn them as a terrible person. However, it's unlikely that if your friend ran over someone's dog that you'd think using that act to condemn them as a terrible person would be justified. If you want to think less of a person for running over a dog, do it in equal amounts irrespective of how you felt about that person prior to them running over someone's dog.

That's the thing, isn't it? The millionth windows vulnerability and still saying "well any code has bugs". Sure it does. But the rebuttal is essentially saying that all code is created equal.

It obviously isn't, and I don't think anyone would honestly argue that all code (or designs, or programmers, etc.) is equal with a straight face. No one's forcing anyone to use crap code, especially in the open source community. If this were Windows, you'd just be stuck with it like all of the other crap that Microsoft has shoved off on people over the years.

Re:Really, is anyone surprised?

[gweihir]

The code tries to do too much and fails to make use of built-in fall-out protection, deliberately. That's just stupid. The guy has been told, and he still thinks it's a good idea. He really believes his shit does not stink. Ergo, the guy is stupid, as well as an asshole.

All classical beginner's mistakes. This guy is not a beginner, but still makes bad beginner's mistakes. Because of his unlimited arrogance, he does not learn. Classical Dunning-Kruger sufferer. Now how anybody ever thought using code from this person was a good idea is beyond me.

We can also expect this stuff to go bad exceptionally fast when Poettering loses interest, as the code is too complex and to badly documented to be maintainable.

If I get a choice at all, it is clear: I do not want any of his code running on my systems if I can at all help it.

Depending on the defaults, I either rip this crap out after installation or do not install it in the first place. My employer does the same as a matter of policy. Has not caused any problems so far and probably prevented a ton of them. Usually the problems with systemd start right after installation for me, as I do have a network-setup that is not quite standard. The only other system that has these problems is Windows, and it has it to a lesser degree these days.

Re:Really, is anyone surprised?

[Rockoon]

This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth.

Exaggerations aside, the key point is that even the best programmers with the best intent cannot reinvent the wheel without consequences. The motivation for reinventing the wheel is that the current code is ugly and hard to maintain. So off they go writing the replacement temple. What happens is that all the stuff that they thought was ugly was a bugfix or in another way necessary. Their temple grows ugly. The bugs were reinvented too.

Re:Really, is anyone surprised?

[AmiMoJo]

Although in this case the person responsible seems to be Patrik Flykt, who added the code with this commit about 4 years ago: https://github.com/systemd/sys...

Poettering committed the fix.

First of many

[ArchieBunker]

This is the tip of the iceburg as more spaghetti code will be found. Tell me again why a startup manager also does DNS resolution?

Re:First of many

[93+Escort+Wagon]

I imagine, in Poettering’s long-term plan, systemd is eventually going to include its own X server and its own graphical desktop manager.

Wish I was joking.

Re:First of many

It's worse than just doing DNS resolution.

It has a hardcoded fallback to Google's servers:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.

Re:First of many

[mike2006]

It's worse than just doing DNS resolution.

It has a hardcoded fallback to Google's servers:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658

In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.

It is mind blowing to read that to begin with but what was worse is reading the refusal to acknowledge the privacy issue and fix it.

Re:First of many

[gweihir]

Because the designer is a smart moron that does not learn and never grasped why KISS is so essential to all good engineering. An amateur at work.

Re:First of many

[gweihir]

Fascinating. Hardcoded defaults like that are a catastrophe in the making and are only done by complete and utter amateurs with no experience.

Re:First of many

[gweihir]

The thing about Poettering is apparently that he has not acquired any experience in all these years and still only qualifies as an amateur. It is pretty surprising how somebody can be that resistant to learning. So, no, not "self defeating", just accurate in describing his capabilities, if not his history.

Re: First of many

[gweihir]

I was commenting on demonstrated skill-level, not employment history. I am well aware were he works.

Re:First of many

[gweihir]

I think it strongly implies something very specific. But good to know, so I will continue to ignore Docker.

Slackware: not affected.

[sombragris]

Slackware does not use systemd and therefore is not affected by this vulnerability.

At least in this case, the KISS philosophy paid well.

Re: Slackware: not affected.

It's a relief to hear that all four of you are safe.

Re: Slackware: not affected.

I'm offended, there are six of us.

Re:Slackware: not affected.

[ortholattice]

I used Debian for over a decade before systemd and loved it. I'm not qualified to judge the merits of systemd, but when it was brought into Debian many things I was used to were suddenly different, with knowledge I learned over the years no longer of value. I don't mind learning new things, but I don't like them foisted on me gratuitously for no reason, especially since I had a lot more important stuff going on at the time.

I switched my server to Devuan and am extremely happy with it. It was a breath of fresh air to see what I thought of as "Debian" back again. So far I've had zero problems, from installation to daily use, and I don't expect I will use Debian again.

Re:Slackware: not affected.

[gweihir]

I am currently still with Debian and just rip out the cancer. When that stops working, I will move to Devuan.

Laughs

[Billly+Gates]

Goes back to working on some FreeBSD vms.

Re:Laughs

[Ol+Olsoc]

Goes back to working on some FreeBSD vms.

I'll just leave this here https://www.cvedetails.com/vul...

Devuan!

one more reason to run Devuan!

Oh Pottering.

[0100010001010011]

I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?

tmpfiles: R! /dir/.* destroys root

Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.

So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but still: the username is clearly not valid.

systemd can't handle the process previlege that belongs to user name startswith number, such as 0day

I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.

How did anyone that lacked that much understanding about UNIX get in charge of the init system?

Re:Oh Pottering.

[Gravis+Zero]

Yes, as you found out "0day" is not a valid username.

I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.

Oh it's more than just that, I checked the POSIX standard and this rule of his is entirely invented.

per the POSIX standard:

A string that is used to identify a user; see also User Database. To be portable across systems conforming to POSIX.1-2017, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.

so what's the portable filename character set?

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -

What's this mean? On POSIX your username can be "007", "4-8_" or "._-" if you want it to be.

Lennart is full of shit and cannot admit he didn't even consider the standard when designing systemd.

Re: This is why ipv6 should be disabled by default

[jd]

IPv6 should be the only protocol running. Your router can transparently convert to legacy formats.

Re:Leonard?

[ArchieBunker]

I pronounce it as "shit head".

Give OpenBSD a shot!

[localgh0st]

I was turned off by systemD and the direction Linux distros taking by adopting it as it seems a departure from the Unix philosophy. I was also turned off by the restrictive communication/behaviour rules forced upon the FreeBSD community. So I decided to give OpenBSD a shot and was pleasantly surprised. You can perform a lot of server functions with just the base system, working with it is intuitive, and it's surprisingly up-to-date.

Re:Inteded behavior

[sgage]

Won't use. I do not want to have anything to do with systemd, or Lennart Poettering, if I can help it. I am very happy with Devuan.

Re:I figured it out.

[gweihir]

The hallmark of utter amateurs. All great engineers stand on the shoulders of giants. These here crawl in the mud while congratulating themselves how great they are.

use www.devuan.org

[what+about]

It has been done to avoid all of this.

Support and donate, otherwise the systemd cancer will kill Linux

This was the plan all along