Linux Systemd Vulnerability Enables DNS Attacks
In January 2017, security researcher Sebastian Krahmer found a bug in Linux systems which could be exploited to grant cyber-attackers root access to a targeted machine. On June 27 2017, software engineer Chris Coulson reported a different systems vulnerability.
The CVE-2017-9445 bug can be exploited by cyber-attackers with TCP packets that trick the systemd initialization daemon to enable the execution of malicious code, or trigger system crashes.
According to Coulson, “Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number – sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this—so, on x86 this will be a page-aligned number—80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.
A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.”
Coulson reports that the bug was introduced in systemd version 233 in 2015, and affecters versions through 233.
Linux's systemd is a crucial feature, which is used by many distributions to bootstrap the user space and manage all subsequent processes. The program was created by Red Hat developers. Distributions that can be exploited through systemd vulnerabilities include Debian, Ubuntu, Arch Linux, OpenSUSE, SUSE Linux Enterprise server, Gentoo Linux, Fedora, and CentOS.
Ubuntu developer Canonical has addressed the vulnerability. On Tuesday, they released a fix for Ubuntu 17.04 and Ubuntu 16.10. According to Red Hat, the vulnerability doesn't affect the versions of systemd that are used in Red Hat Enterprise Linux 7. Debian responded to the CVE-2017-9445 report by explaining that their distributions use the vulnerable versions of systemd, but it's not a concern for them because the affected systemd-resolved service is disabled by default.
Source: Information Security Magazine