A critical vulnerability has been found in systemd, the popular init system and service manager for Linux operating systems, that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.
systemd is an init system used in Linux distributions to bootstrap the user space and manage all processes subsequently, instead of the UNIX System V or Berkeley Software Distribution (BSD) init systems.
This vulnerability, known to be CVE-2017-9445, actually resides in the ‘dns_packet_new’ function of ‘systemd-resolved,’ a DNS response handler component that provides network name resolution to local applications.
What really happens in the system?
A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it.
According to a consultatory published, a specially crafted malicious DNS response can crash ‘systemd-resolved’ program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service.
This in turn leads to a large DNS response into the buffer, allowing an attacker to overwrite the memory which leads to remote code execution, which allows attackers to remotely run any malware on the targeted system or server via their evil DNS service.
“In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that’s too small,” explains Chris Coulson, Ubuntu developer at Canonical.
Is your system vulnerable?
This vulnerability is present in all versions of systemd that are released after June 2015. From systemd 223 to systemd 233 all are vulnerable. Of course, systemd-resolved must be running on your system for it to be vulnerable.
The bug is present in Ubuntu versions 16.10 and 17.04; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.
Security patches have been rolled out to address the issue, so users and system administrators are strongly recommended to install them and update their Linux distros as soon as possible.