Bug 32545 - CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack via notification socket
Summary: CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack via not...
Status: NEW
Alias: None
Product: ALT Linux Centaurus
Classification: Distributions
Component: Ошибки работы (show other bugs)
Version: не указана
Hardware: all Linux
: P3 normal
Assignee: Anton V. Boyarshinov
QA Contact: qa-p7@altlinux.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-29 18:50 MSK by Mikhail Kasimov
Modified: 2016-09-30 15:59 MSK (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-09-29 18:50:43 MSK
Источник: http://seclists.org/oss-sec/2016/q3/641

====================
systemd[1] fails an assertion in manager_invoke_notify_message[2] when
a zero-length message is received over its notification socket.
After failing the assertion, PID 1 hangs in the pause system call.
It is no longer possible to start and stop daemons or cleanly reboot
the system. Inetd-style services managed by systemd no longer accept
connections.

Since the notification socket, /run/systemd/notify, is world-writable,
this allows a local user to perform a denial-of-service attack against
systemd.

Proof-of-concept:

        NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

This vulnerability is present in all versions of systemd since at
least v209[3].

This has been reported to systemd.[4]

[1] https://github.com/systemd/systemd/
[2] https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666
[3] https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325
[4] https://github.com/systemd/systemd/issues/4234
====================

Т.к. апстрим systemd поддерживает только релизную ветку (232) и два более ранних релиза (231,230), необходимо проверить и, при необходимости, исправить используемую (-ые) версию(-ии) systemd в продуктах ALT Linux. В комментариях к [4] приведён более полный PoC, который позволяет воспроизвести проблему.

CVE пока не присвоено, но, судя по назначенному приоритету в баг-трекере openSUSE (https://bugzilla.suse.com/show_bug.cgi?id=1001765), баг довольно серьёзный и требует оперативного исправления. В апстриме проблема уже исправлена.
Comment 1 Mikhail Kasimov 2016-09-30 11:13:19 MSK
Присвоенные CVE: CVE-2016-7795, CVE-2016-7796 Источник: http://seclists.org/oss-sec/2016/q3/675
Comment 2 Sergey Novikov 2016-09-30 15:05:28 MSK
На виртуальной машине следующие результаты:

От root:

$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done >systemdlog

Broadcast message from systemd-journald@host-15.localdomain (Fri 2016-09-30 14:36:54 MSK):

systemd[1]: Caught <ABRT>, dumped core as pid 1594.


Broadcast message from systemd-journald@host-15.localdomain (Fri 2016-09-30 14:36:54 MSK):

systemd[1]: Freezing execution.

Failed to notify init system: Connection refused
Failed to notify init system: Connection refused
Failed to notify init system: Connection refused


Перестают запускаться сервисы:

$ service sshd start
Failed to start sshd.service: Failed to activate service 'org.freedesktop.systemd1': timed out
See system logs and 'systemctl status sshd.service' for details.

От обычного пользователя:

$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done >systemdlog
bash: systemdlog: Отказано в доступе

Версия systemctl:
$ systemctl --version
systemd 230
+PAM +AUDIT +SELINUX -IMA -APPARMOR -SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

Версия ALT Linux:
$ uname -a
Linux host-15.localdomain 4.4.16-std-def-alt0.M80P.1 #1 SMP Thu Jul 28 03:44:48 UTC 2016 x86_64 GNU/Linux