Linux Systemd Bug Could Have Led to Crash, Code Execution

Ubuntu fixed a Linux bug that could have let an attacker cause a denial of service or execute arbitrary code with a TCP payload this week.

Developers with Canonical pushed out a handful of patches for the Linux-based operating system Ubuntu this week, including one that resolves a bug that could have let an attacker cause a denial of service or execute arbitrary code with a TCP payload.

Chris Coulson, a software and electronics engineer with the company, discovered the vulnerability, an out-of-bounds write (CVE-2017-9445) in Ubuntu’s systemd-resolved system service. The service-an init system used in Linux distributions–is a network name resolution manager and helps provide network name resolution to local apps.

Coulson warned earlier this week the bug could affect any Linux distribution running an unpatched version of systemd.

If an attacker used a malicious DNS server, they could exploit the bug via a specially crafted TCP payload, Coulson wrote Tuesday. Coulson says that certain payloads can be used to trick the service into allocating a buffer that’s too small, something that writes arbitrary data beyond the end of it.

He believes the bug was introduced in version 223 of systemd, committed back in June 2015, and affects all subsequent versions, including 233, released in March this year.

Canonical branded the bug “high” severity and warns the issue affects versions 17.04 and 16.10 of Ubuntu. The company pushed out systemd patches for each, 232-21ubuntu5, and 231-9ubuntu5, on Tuesday so users can update their systems.

As systemd-resolved figures into other Linux distributions like Debian Linux, Red Hat’s Fedora, and openSUSE, users may want to independently verify whether or not they’re affected.

Only the “stretch”, and “buster,” and “sid” releases of Debian are considered vulnerable, according to Debian’s bug tracker on the issue. Debian stressed Coulson’s bug was only a minor issue for Debian “stretch” users, as systemd-resolved comes disabled by default on that build. The vulnerable code isn’t present in Debian “Jessie” and “wheezy” builds.

It appears Fedora 25 received an update, FEDORA-2017-29d909f5ec, for the issue on Wednesday.

Coulson’s out-of-bounds write issue was one of many fixed across Ubuntu builds this week.

On Monday several Apache HTTP server vulnerabilities were fixed in Ubuntu 17.04, 16.10, and 16.04 LTS, and 14.04 LTS. The bugs could have led to authentication requirements being bypassed or denial of service scenarios.

A slew of Linux kernel vulnerabilities, including some that could lead to the execution of arbitrary code and denial of service situations in some of the same builds – in 17.04, 12.04 LTS, 16.10 – were also patched on Thursday.

Suggested articles