Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday January 11 2019, @12:54PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

From TFA (the friendly article) at https://www.openwall.com/lists/oss-security/2019/01/09/3:

We discovered three vulnerabilities in systemd-journald (https://en.wikipedia.org/wiki/Systemd):

- CVE-2018-16864 and CVE-2018-16865, two memory corruptions     (attacker-controlled alloca()s);

- CVE-2018-16866, an information leak (an out-of-bounds read).

CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.

CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.

We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future.

To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection.

This confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php: "It should be clear that kernel-only attempts to solve [the Stack Clash] will necessarily always be incomplete, as the real issue lies in the lack of stack probing."

The article goes on with more detailed information on exploits.

<sarcasm>It's a good thing that systemd does not affect very many systems and no systems running anything important.</sarcasm>


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by DannyB on Friday January 11 2019, @04:04PM (1 child)

    by DannyB (5839) Subscriber Badge on Friday January 11 2019, @04:04PM (#785078) Journal

    I run Windows 10 at work, not by choice, but because it's what we use.

    And it "just works" because we have a competent IT department and layered defenses. Only some offices have direct internet access at border gateway points. All other US and Canada offices have private connections to those points for internet access. There are spam and phishing defenses. External emails are marked EXTERNAL in the subject line. Mail attachments and links are scanned. Several thousand users with about 1.75 times that many PCs to protect using active directory policies to install and control software. Yet developers are allowed local administrative control, thus I can locally install anything I want onto my PC.

    So yeah, Window 10 "just works" if you spend enough money. And it works well. Rarely is there any kind of penetration, and it is very quickly contained and isolated.

    As an avid Java, Linux and Open Source advocate, I'm in the interesting situation that all of the software I use at work is the same software I use at home on Linux. Other than corporate applications like Office, WebEx, etc. More and more corporate applications (bug tracking systems, human resources systems, expense reporting systems, etc, etc) are all web based -- which makes Windows less and less relevant every single day. Microsoft's nightmare come true. The reason Microsoft killed Netscape was the fear that web applications would make the OS irrelevant. And it has.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Thursday January 17 2019, @12:26PM

    by Anonymous Coward on Thursday January 17 2019, @12:26PM (#787868)

    Have you seen the latest KBs for IE? Seriously? Even now, if you don't have the latest patch then a "specially crafted" web page can get system level access and take over the computer.
    Even if you only miss some patches it can get user level.
    It's nuts.