Slashdot Mirror
Linux systemd Affected by Memory Corruption Vulnerabilities, No Patches Yet (bleepingcomputer.com)
Major Linux distributions are vulnerable to three bugs in systemd, a Linux initialization system and service manager in widespread use, California-based security company Qualys said late yesterday. From a report: The bugs exist in 'journald' service, tasked with collecting and storing log data, and they can be exploited to obtain root privileges on the target machine or to leak information. No patches exist at the moment. Discovered by researchers at Qualys, the flaws are two memory corruption vulnerabilities (stack buffer overflow - CVE-2018-16864, and allocation of memory without limits - CVE-2018-16865) and one out-of-bounds error (CVE-2018-16866). They were able to obtain local root shell on both x86 and x64 machines by exploiting CVE-2018-16865 and CVE-2018-16866. The exploit worked faster on the x86 platform, achieving its purpose in ten minutes; on x64, though, the exploit took 70 minutes to complete. Qualys is planning on publishing the proof-of-concept exploit code in the near future, but they did provide details on how they were able to take advantage of the flaws.
Giant bloated executable where trim purpose built utilities and text should be used.
Looking at the code, all three of these bugs are inexcusable. The systemd devs really are incompetent.
meanwhile, in redmond...
I haven't seen a systemd thread for quite some time around here I guess we're due.
Some of the rants and raves are actually pretty good.
Yet I can't help wondering how much of it is really just people who resist change because they don't want to learn something new. The init/upstart process was easy enough to understand but clinky and as full of problems as systemd really. Except, of course of the most common use cases where it had been worked out.
As for these bugs they don't seem to be making much of an industry problem.
In case you're interested to know the breakdown...
Politics; n. : A religion whereby man is god.
for me... I switched to Devuan a few months ago.
Yes, I know there are plenty of bugs and vulnerabilities to go around, but based on the frustrations that systemd caused me, I think I am afforded a bit of schadenfreude.
My beliefs do not require that you agree with them.
"It's not a bug, but a feature. Or someone else can work around it. Also: Don't be so mean to us, boo hoo."
There is some truth to this. Linux is just a kernel, but there are myriad userland programs, toolchains, and other ancillary software bits that make up a GNU/Linux system. Linux (full system/any distro) is so balkanized. Companies like Red Hat employ the programmers who write stuff like systemd/pulseaudio, etc., so they automatically steer the direction every other distro must go in. I was shocked when Debian adopted systemd, and now more and more software has to have it as a REQUIREMENT. This is one reason I like KDE. I've been using it as a desktop since 1998. I use Kate and Konsole all of the time, and my workflow revolves around them.
BSD, on the other hand, for all its own faults, is not "grown" like Linux, but engineered. It's a full OS in its own right and end users can install their own preferred userland and ancillary software. I'm really close to just adopting FreeBSD.
Shitty windows-ini-style Unit files, binary logs, 12 different subsystems gobbled up and "integrated" ... I mean did this kind of shit surprise someone? Really? After years of supporting Systemd and solving it's problems for others I can say with limited authority that, yes, it really is garbage. I know there were a few people who thought systemd was just "progress", but no it's a schism, a coup, a shitty revolution that left everyone worse than when they started. Linus and friends are too old and retarded now apparently to lose face and be critical of it because they stood by and shrugged while the Potterites and Fedora assholes ruined Linux. I mean BSD was always better, don't get me wrong. So, it's not as big a loss as some would frame it to be. However, it used to be fun, useful, and relatively untainted by anything this heinous but a few unenlightened windows folks came along and created this svchost.exe ripoff (systemd) for the purposes of enhancing GNOME and now you get this smelly mess that is now Linux. Ah well, it was (sorta) fun while it lasted. Back to my BSD boxes.
Fortunately, I run Linux, not Poetterix and are nicely unaffected.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"niche operating system"
The 90's called and want this argument back.
As stated in 2016 at FSCONS in the Q&A https://youtu.be/wMvyOGawNwo?t...
Two of the bugs only possible in with unsafe referencing/allocation ... par for the course.
It's been at least a couple decades. Today, Linux is more widely used than literally anything else.
"Giant bloated executable..."
SystemD causes a lot of problems. That makes more money for people who work for companies that do Linux technology support.
Is that a giant conflict of interest? Was SystemD allowed by management of Red Hat because it would make more money?
Mark Shuttleworth said, "Losing graciously". (Feb. 14, 2014} "It will no doubt take time to achieve the stability and coverage that we enjoy today..."
Responsible disclosures you never hear about since they are being responsible. So called 'Security Researchers' on the other hand... Want their public glory.
https://www.qualys.com/2019/01... :
2018-11-26: Advisory sent to Red Hat Product Security (as recommended by
https://github.com/systemd/sys...).
2018-12-26: Advisory and patches sent to linux-distros@openwall.
2019-01-09: Coordinated Release Date (6:00 PM UTC).
Meanwhile, just two articles earlier on the same exact page you just posted to: "Windows 7 Users Who Installed January Update Report Network Issues; Some Say the Update Has Also Incorrectly Flagged Their OS License as 'Not Genuine'"
Slackware ships with a simple, effective BSD-style init populated by simple and readable shell scripts. Its BDFL, Patrick Volkerding, made the decision to purposely avoid systemd like the plague and I think he is right.
Install Slackware, and many sysadmin's worries will go away.
-- Look to the Rose that blows about us--"Lo, Laughing," she says, "into the World I blow..."
That is the more polite version of "you incompetent chumps make our searches easy and worthwhile. And we listened to a lot of System of a Dawn."
Let me go make some popcorn.
While that enhanced the security, that wasn't the basis of it. Simple reliable design that could be reasonably debugged was the basis. Also code that large numbers of people could read and understand. (No, not everybody. And I never bothered to learn to. But large numbers.) This, of course, requires that the code be relatively simple. Which means modular, with limited externalities.
Systemd is a massive failure in ever one of these respects, and I suspect intentionally so. I don't mean I'm certain. It could just be a worship of centralized power finds a different design of software more pleasing. Or there could be some other reason.
I think we've pushed this "anyone can grow up to be president" thing too far.
There were many intermediate exploits. But they were relatively easy to fix, and fixed relatively quickly. As the software groups have gotten larger, this has become less and less true.
The complaints about "SJW drones", "codes of conduct", etc. aren't totally without merit, but their validity has more to do with the fact that they only become relevant in larger projects. But larger projects *need* more oversight and administration. (Also, larger projects tend to exclude the kind of people most likely to complain about such oversight...and anyone excluded is likely to feel unhappy.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Even simpler than a systemd declaration is saying "Alexa, start Apache".
That doesn't mean that Alexa's AI code is simpler than a 20-line bash script. You're comparing the *input* to the systemd code, a config file, vs the actual code that does things in SysVinit.
In sys V, the shell script starts the daemon, it *is* the code. If anything is wrong or you want to change anything, you can look through the shell script and change things. In systemd, the declaration is handed to a binary that does who-knows-what.
Root shell from either a local exploit or a remote exploit IS NOT a minor thing. Typical systemd attitude. Blame the users, handwave away the problems. Sad.
Does this need local access? Or just remote access?
Linux is a multi-user system from the ground and up.
Just saying it like it are.
I was a RedHat user back on v5.1. I tried to upgrade my system, and it was awfully painful. But I stuck with RedHat. Then I upgraded again. And again. Every time it got a little less painful, but it still sucked. Then I decided to try out another distro. Mandrake. It was nice, and I liked KDE! I upgraded a couple of times, and it wasn't too bad. So change was good. After a few more upgrades, it still wasn't that smooth. I decided to try out Ubuntu, and I really liked it. Since I was liking KDE I switched to Kubuntu. Change was good! I upgraded a couple of times - near flawless! Change was great! Then KDE started to really annoy me - too much flash, and eventually a bug cropped up that caused me all kinds of headaches. So I switched to Xubuntu. XFCE was great, and change was good! I upgraded that system several times, and it was very smooth. After 7 upgrades, things were getting less stable. Since i was going to reinstall anyway, i looked at other distros.... ah, Linux Mint. Polished, but with XFCE not overly so. I had found my distro, change was great! The method of upgrading was to reinstall cleanly, so I made sure to set up my new system so that was minimally painful. Then I was able to upgrade in place - painlessly! All was right.
Then after one upgrade, I noticed that my machine started having various issues. I couldn't shutdown cleanly. I would take minutes to shutdown, where it used to take seconds. I thought it was hardware at first, but it wasn't. It was systemd. I hadn't noticed before upgrading that they were switching to systemd. I had begun to trust Mint so much that I just thought it would be smooth. I learned more and more about systemd, and tried to fix the issue. No deal. So I gritted my teeth and dealt with it. Change can be bad. Eventually I got a different computer, and then I had complete confirmation that my issues weren't hardware related because they persisted. It was time to find a new distro.
It wasn't an easy search, because by this time systemd had kind of taken over. Mint only went to it because it's a downstream of Ubuntu. Clem (maintainer of Mint) confirmed this to me, that it wasn't his choice at all and it was just the easiest route to take.
I looked at the BSDs, Arch, Slack, and a few others. But because I was familiar with and really liked the apt package manager, I chose Devuan. It was not only a great distro, but I know that it is specifically focused on NOT implementing systemd. It was a simple install and upgrade, and my system is fast as ever and shuts down within seconds again. So again... change is great!
My beliefs do not require that you agree with them.
This is a legitimate question. Most people on slashdot seem to hate systemd. And most of you are programmers and work on Linux every day. Why don't you guys get together and create a new init system that blows systemd away? Isn't that what the whole spirit of FOSS is about?
I have this fantasy where we lock the SJWs and ASJWs in a room together, and let them fight it out for eternity amongst themselves. Kind of like the end of that bad Star Trek episode.
Now do you think you could go away and stop bring up the same point over-and-over in this ground-breaking discussion of systemd?
(Yes, I know. "Let That Be Your Last Battlefield". Third season, of course.)
...that broke the camel's back? FINALLY? PLEASE?????
Can the idiotic pro-systemd folks finally admit they were wrong, abandon the whole misguided concept, and start the process of moving back to unix philosophies and architecture? The world dropped xfree86 fast as a hat, pretty much spun on a dime and moved to X.org.... let that happen w/ systemd as well.
Or, better yet, just shift support en masse behind FreeBSD and get the hardware and desktop environment and app support back up there like it used to be. Honestly, that'd be the better path and the end result so much better.
Probably too much to hope for...
I come not to praise systemd, and certainly not to praise Poettering or RedHat...
But these anti-systemd rants would be more impressive if you guys had showed any signs of thinking through what you're saying about The Unix Way and all that jazz.
Yes, sometimes decentralized, small encapsulated components are a win, but sometimes monolithic designs where the pieces can talk to each other easily are a win-- You might notice that when Linus Torvalds was asked about this he made some rather mild comments about how some aspects of linux, like the graphic display environment has always been more monolithic.
Arguably, the initial reason perl was a big deal is it took a bunch of features from the shell programming world and stuck them all inside of one process-- you can do lash-ups of shell, awk, sed and so on, or you can just write a perl script and pretty frequently the perl script is really and truly a better option.
And take a look at some of the classic shell utilities some time. Look at the docs for things like "find", "tar", etc... do they really look to you like something that's designed to just do "one thing"?
You guys who keep intoning "the unix philosophy" over-and-over might want to stop and think about the way things really get done with unix.
But then, none of this is a defense of systemd, or the way systemd was put over...
someone has local access to your machine, you're doing it wrong anyway.
Linux is a multi-user operating system. It's designed explicitly to support multiple users concurrently with limited privileges.
Now I understand why so many people were so adamant about how terrible systemd was going to be.
I'm not a programmer, so didn't really understand what the problem was.
To be fair, it's not really clear in TFA, but it looks like it to me, so I am going to worry about something else for a while.
To the commenters informing me that Linux is a multi-user system I'm not sure what your point is. If this bug needs an attacker to be standing in front of the machine, typing at the keyboard, you're a bit screwed regardless.
Reflect back on "programs that do one thing and do it well".
Are the deep parts of an OS you are using still supportive of that philosophy?
If not consider changing to a better quality OS.
Domestic spying is now "Benign Information Gathering"
Sadly, the new CoC disallows that action as it would hurt Pottering's feelings.
CAP === 'students'
I don't mind that services have a simple config declaration, with mostly standard start / stop handling. But it would be better to start with some form of "#!/..." so the config file can be used as a script that launches a generic service handler from a traditional init system.
But that's not the only part of the OS that systemd is trying to replace...
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
I wasn't really trolling regardless of what the moderator tally is. I was just remarking that this topic really is a hot button for a lot of people and are willing to write flames about it. And that it hadn't happened for a while.
And was I wrong? Oh, no.
I also pointed out that some people have more valid justifications for their passionately held positions than others. Although that is always true on that topic the jury will always be out.
The exploit is a privilege escalation attack and does not require physical access to the machine. It uses a local account (that is, one on the OS) to start a local root shell (that is, one available to a process running on the machine, not necessarily available over the network).
Using binfmt_misc (or a GUI front-end to it) you can fairly easily configure your system to use whatever program you want to handle *.service "scripts". It can recognize them by name (.service) and/or by the first bytes being [Unit] or [Service]. This is similar to configuring a default handler for jpeg files, to open them when you click them (but also works from the command line).
For other file types that don't have a predictable name, nor predictable first bytes, a very simple kernel module can be used to register a handler.
Lastly, text files of unknown type are sent to /bin/sh if they are chmod executable. You can probably configure sh to handle service files.
been using linux since 95 and i've seen all kinds of bugs throughout the years.
it looks like systemd is remaking all of them again, each time i think - this already happened before, it shouldn't be a problem anymore.
seems as if the systemd team is recreating the complete history of linux userland bugs again.
On a long enough timeline, the survival rate for everyone drops to zero.
Logs have always been made of wood.
Distrowatch says there are 113 alternative distros you can use without systemd
If you like Debian, you use Devuan.
If you like Arch, you use Artix.
Slackware was never tainted, etc...
What are you waiting for? The main idiot is not even Poettering, its the Distro leaders that choose to force you to use it. Of course Fedora is doomed being a Red Hat project...
Is it a coincidence that everything made by Poettering behaves more or less the same buggy and bloated way? You think pulseaudio is an example of excellence? What about avahi and the other crud he made? Just say no to his mindset and rid your system of anything made by him.
http://without-systemd.org/ Take a stand against systemd!
Artix
Your Linux, your init.