Don't panic, but Linux's Systemd can be pwned via an evil DNS query

[Batu69]

PS, Alpine users, you need to get patching, too – for other reasons

Systemd, the Linux world's favorite init monolith, can be potentially crashed or hijacked by malicious DNS servers. Patches are available to address the security flaw, and should be installed ASAP if you're affected.

 

Looking up a hostname from a vulnerable Systemd-powered PC, handheld, gizmo or server can be enough to trigger an attack by an evil DNS service: the software's resolved component can be fooled into allocating too little memory for a lookup response, and when a large reply is eventually received, this data overflows the buffer allowing the attacker to overwrite memory. This can crash the process or lead to remote code execution, meaning the remote evil DNS service can run malware on your box.

 

"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," explained Chris Coulson, of Ubuntu maker Canonical, who discovered the out-of-bounds write in systemd-resolved.

 

The programming blunder, assigned the ID CVE-2017-9445, was accidentally introduced in Systemd version 223 in June 2015 and is present all the way up to and including version 233 in March this year.

 

This means it is present in Ubuntu versions 17.04 and 16.10. Canonical has put out a pair of fixes for 17.04 and 16.10 to address the flaw.

The bug is technically present in Debian Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable), however "systemd-resolved is not enabled by default in Debian," according to the project's Salvatore Bonaccorso, so either you have nothing to worry about, apply the patch yourself, or hang tight for the next point release.

 

Various other Linux distros use Systemd, too: check to make sure there are no updates available and ready to install for your version of systemd-resolved via the usual package manager. If there are, well, you know what to do.

 

Meanwhile, researcher Ariel Zelivansky has found some security bugs in Alpine Linux's package manager apk. The flaws, assigned CVE-2017-9669 and CVE-2017-9671, allow remote code execution on Alpine Linux instances (including Docker runs), via a buffer overflows in the handling of package files.

 

"The only prerequisite would be to figure out the memory layout of the program," Zelivansky said. "Protections like ASLR or other hardenings may block the attacker from succeeding, but he may be able to get around it and still achieve execution."

 

Article source

[steven36]

Oh joy Systemd updates!  just let you  in on a little secret DNS for vpns has never worked right  on 17.04  .. on 16.04 and lower it don't have dns leaks now i have go too the network manger and change the dns to something  else then the vpn DNS don't leak anymore . Windows always had a problem with DNS leaks and you have too use a workaround or the client has a builtin workaround .

[steven36]

Well the bug don't seem to related too too the vpn DNS bug because i done those dns updates and  still I need to use a workaround  ..Thanks for the heads up , I always do all my updates on Linux  for stuff i have installed  and if any one is having trouble with DNS leaking in Ubuntu 17.04  with a vpn feel free  to pm me, i will tell you how  too fix it.