Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday January 11 2019, @12:54PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

From TFA (the friendly article) at https://www.openwall.com/lists/oss-security/2019/01/09/3:

We discovered three vulnerabilities in systemd-journald (https://en.wikipedia.org/wiki/Systemd):

- CVE-2018-16864 and CVE-2018-16865, two memory corruptions     (attacker-controlled alloca()s);

- CVE-2018-16866, an information leak (an out-of-bounds read).

CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.

CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.

We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future.

To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection.

This confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php: "It should be clear that kernel-only attempts to solve [the Stack Clash] will necessarily always be incomplete, as the real issue lies in the lack of stack probing."

The article goes on with more detailed information on exploits.

<sarcasm>It's a good thing that systemd does not affect very many systems and no systems running anything important.</sarcasm>


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by julian67 on Friday January 11 2019, @01:58PM (20 children)

    by julian67 (982) on Friday January 11 2019, @01:58PM (#785025)

    A better solution:

    apply patches as and when they become available.

    Bugs far more severe have been found in every layer, from the kernel upwards, of every general purpose operating system. They get fixed.

    The idea that one should avoid or abandon software if bugs are found only makes sense if those bugs cannot be fixed. Otherwise it's an absurdist position.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Informative=3, Overrated=3, Disagree=1, Total=9
    Extra 'Informative' Modifier   0  

    Total Score:   3  
  • (Score: 5, Insightful) by canopic jug on Friday January 11 2019, @02:03PM (4 children)

    by canopic jug (3949) Subscriber Badge on Friday January 11 2019, @02:03PM (#785027) Journal

    The bugs were around for around two years. They're also the result of a combination of known bad design and known bad programming practices. Mistakes cannot be avoided but bad design and bad practices can. Those alone are enough reason to eschew garbage like systemd. On top of that you have an enormous monolith of complex, sparsely documented code.

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: 5, Insightful) by digitalaudiorock on Friday January 11 2019, @02:24PM

      by digitalaudiorock (688) on Friday January 11 2019, @02:24PM (#785032) Journal

      Never mind that these bugs are in their shit-for-brains systemd-journald and binary logging. None of that should have ever happened, and nobody with any sense wanted it. But yea...it's all good...as long as sysadmins whose companies fell for RHEL 7 start treating it the way they've treated Windows Server...which is about where this has gone. Good luck with all that. No systemd in my home or my company, and never will be...thank God.

    • (Score: 4, Interesting) by Thexalon on Friday January 11 2019, @08:20PM (2 children)

      by Thexalon (636) on Friday January 11 2019, @08:20PM (#785205)

      Also, can we stop letting Lennart be in charge of anything important, please? Between systemd's awfulness (including on occasion breaking the Linux kernel) and PulseAudio's awfulness (ditto), I'm trying to figure out why anyone thinks he should be doing coding without adult supervision.

      The moment I knew how bad systemd truly was: shortly after I had installed it for the first time on a desktop, I decided to swap out my aging PS/2 mouse for a USB mouse, so I shut down the machine, switched the mice, turned it back on, and was greeted with a black screen with no feedback at all about what was going on, and nothing in the logs about what had gone wrong when I swapped the mice back. Whereas my sysvinit-based system, in the same situation, would have booted up just fine and at worst would have needed some config file changed and a relevant daemon restarted. Based on that, I was forced to conclude that either the systemd developers had either not even thought about the possibility of swapping out hardware while the machine was turned off, or didn't care enough of about that scenario to make their stuff work properly under those conditions.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2, Funny) by Anonymous Coward on Saturday January 12 2019, @11:48AM (1 child)

        by Anonymous Coward on Saturday January 12 2019, @11:48AM (#785469)

        Thank you for your bug report. We here at systemD central think that you are a poopy head with a need for a brain swap.
        Please soak your head in vinegar.
        And Have A Nice Day.

        • (Score: 2) by Thexalon on Sunday January 13 2019, @03:01PM

          by Thexalon (636) on Sunday January 13 2019, @03:01PM (#785908)

          You forgot to mark it as "WONTFIX".

          --
          The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 0) by Anonymous Coward on Friday January 11 2019, @02:03PM (2 children)

    by Anonymous Coward on Friday January 11 2019, @02:03PM (#785028)

    I think you need to work on your reading comprehension.
    These bugs have been around for years and never patched...

    • (Score: 5, Funny) by DannyB on Friday January 11 2019, @03:11PM (1 child)

      by DannyB (5839) Subscriber Badge on Friday January 11 2019, @03:11PM (#785050) Journal

      You are making an assumption that these vulnerabilities are bugs instead of features.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 1, Touché) by Anonymous Coward on Saturday January 12 2019, @11:50AM

        by Anonymous Coward on Saturday January 12 2019, @11:50AM (#785470)

        Oh, great, so this is Year Of The Linux Desktop where Linux is just like Windows
        When do we get built in advertising?

  • (Score: 5, Insightful) by rleigh on Friday January 11 2019, @02:24PM (1 child)

    by rleigh (4887) on Friday January 11 2019, @02:24PM (#785031) Homepage

    The chickens are coming home to roost, as we knew they would.

    "Bugs far more severe have been found" is to completely ignore that bad design, bad coding practices and a huge amount of hubris and egotism went into this software. If the design was solid, and good coding practices had been followed, bugs like this simply couldn't happen. Because programmers with a bit more self-awareness and humility would not have used alloca() to perform a needless micro-optimisation at the expense of system security. Processing strings in C using the most dangerously insecure strategy possible isn't even a bug, it's crass stupidity. As is not having a maximum message size in the first page.

    Some bugs are the result of genuine mistakes or extremely subtle side-effects. None of these problems fall into these categories. They are the result of programmers who think they are so great that they can't make mistakes, and that the rules don't apply to them.

    If I had to write functions like this, my choice would be to implement it using C++ with extern "C" and a static libstdc++. This would provide a C interface to string operations using std::string and std::string_view. Safer, faster and more maintainable than the C string equivalents, and from the point of view of the caller, totally transparent. If I wrote my code like what's in journald, I'd be fired for gross incompetence. It wouldn't even make it pass cursory code review. Where's the oversight for the systemd developers?

    • (Score: 2) by bob_super on Friday January 11 2019, @06:09PM

      by bob_super (1357) on Friday January 11 2019, @06:09PM (#785153)

      I'm glad to learn from your experience that such bad code will never ever be adopted by anyone for any serious distro, and we'll never have to worry about that "systemd" thingy leaving the confines of the whackjobs' computer...

      Oh wait, it's fucking everywhere ! Tell me again how everyone in the industry is a certified moron.

      (disclaimer: I know why systemd is problematic. Make your points without being so hyperbolic that you assert nobody else has a clue)

  • (Score: 2) by DannyB on Friday January 11 2019, @03:15PM (7 children)

    by DannyB (5839) Subscriber Badge on Friday January 11 2019, @03:15PM (#785052) Journal

    From TFA . . .

    but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection.

    Should other distributions do likewise?

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: -1, Troll) by Ethanol-fueled on Friday January 11 2019, @03:39PM (2 children)

      by Ethanol-fueled (2792) on Friday January 11 2019, @03:39PM (#785064) Homepage

      I like running Windows 7 because it just works, then run Ubuntu in a VM because that just works. It should be the other way around but Ubuntu Linux is for Niggers.

      • (Score: 4, Interesting) by DannyB on Friday January 11 2019, @04:04PM (1 child)

        by DannyB (5839) Subscriber Badge on Friday January 11 2019, @04:04PM (#785078) Journal

        I run Windows 10 at work, not by choice, but because it's what we use.

        And it "just works" because we have a competent IT department and layered defenses. Only some offices have direct internet access at border gateway points. All other US and Canada offices have private connections to those points for internet access. There are spam and phishing defenses. External emails are marked EXTERNAL in the subject line. Mail attachments and links are scanned. Several thousand users with about 1.75 times that many PCs to protect using active directory policies to install and control software. Yet developers are allowed local administrative control, thus I can locally install anything I want onto my PC.

        So yeah, Window 10 "just works" if you spend enough money. And it works well. Rarely is there any kind of penetration, and it is very quickly contained and isolated.

        As an avid Java, Linux and Open Source advocate, I'm in the interesting situation that all of the software I use at work is the same software I use at home on Linux. Other than corporate applications like Office, WebEx, etc. More and more corporate applications (bug tracking systems, human resources systems, expense reporting systems, etc, etc) are all web based -- which makes Windows less and less relevant every single day. Microsoft's nightmare come true. The reason Microsoft killed Netscape was the fear that web applications would make the OS irrelevant. And it has.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 0) by Anonymous Coward on Thursday January 17 2019, @12:26PM

          by Anonymous Coward on Thursday January 17 2019, @12:26PM (#787868)

          Have you seen the latest KBs for IE? Seriously? Even now, if you don't have the latest patch then a "specially crafted" web page can get system level access and take over the computer.
          Even if you only miss some patches it can get user level.
          It's nuts.

    • (Score: 2) by rleigh on Friday January 11 2019, @03:56PM (1 child)

      by rleigh (4887) on Friday January 11 2019, @03:56PM (#785074) Homepage

      "Not exploitable" does not mean bug-free. It means the process will segfault or abort. Slightly better than the alternative, but it's still far from ideal. It's a mitigation, rather than a solution. Better than nothing, but best not to place too much faith in it.

      Also, the stack clash protection with a guard page still only provides protection with some caveats. It doesn't work on all platforms.

      • (Score: 2) by DannyB on Friday January 11 2019, @04:06PM

        by DannyB (5839) Subscriber Badge on Friday January 11 2019, @04:06PM (#785080) Journal

        Bug free could still mean exploitable -- if the vulnerability were a feature rather than a bug. Or at least a feature in the eyes of whoever introduced the vulnerability into most Linux systems far and wide.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Saturday January 12 2019, @04:55AM (1 child)

      by Anonymous Coward on Saturday January 12 2019, @04:55AM (#785400)

      -fstack-clash-protection is only available in gcc 8, which is way too new to be available in most stable distributions.

      • (Score: 0) by Anonymous Coward on Saturday January 12 2019, @11:53AM

        by Anonymous Coward on Saturday January 12 2019, @11:53AM (#785471)

        What I hear you saying is that RedHat is unstable.

        Now it's been sold, I have absolutely no doubt.

  • (Score: 5, Insightful) by crafoo on Friday January 11 2019, @06:50PM (1 child)

    by crafoo (6639) on Friday January 11 2019, @06:50PM (#785171)

    Bugs far more severe have been found in every layer, from the kernel upwards, of every general purpose operating system. They get fixed.

    I think you've missed the point. Bugs get fixed? OK. That's quite an assumption. Can people find the bugs? How hard is it to do so? How many people are actually looking or working on the source code? Are they all at the same institution or work for the same company?

    systemd is needlessly complex and monolithic. It's quickly becoming the achillies heal of linux. it's poorly designed. it has "features" no one asked for. It incorporates and subsumes systems that it should not.

    • (Score: 4, Funny) by aristarchus on Friday January 11 2019, @11:17PM

      by aristarchus (2645) on Friday January 11 2019, @11:17PM (#785287) Journal

      It's quickly becoming the achillies heal of linux

      Achilleus' mom wants a word with you.