Ubuntu, Fedora, Arch Linux and other Linux distributions have released patches for a serious arbitrary code execution vulnerability that could be exploited through malicious Domain Name System (DNS) packets.
The flaw was found in systemd-resolved, a service that’s part of the systemd initialization system adopted by many Linux distributions in recent years. The resolved service provides network name resolution to local applications by querying DNS servers.
The vulnerability, tracked as CVE-2017-9445, was discovered by Chris Coulson, a software engineer at Canonical and member of the Ubuntu team, who noticed that when dealing with certain data packet sizes, systemd-resolved fails to allocate a sufficiently large buffer.
“A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved to allocate a buffer that’s too small, and subsequently write arbitrary data beyond the end of it,” Coulson said in an advisory posted on the Open Source Security mailing list.
This could be exploited to crash the systemd-resolved daemon or to execute potentially malicious code in its context.
There are multiple ways in which an attacker could send malicious DNS packets to a Linux system with systemd-resolved running. One of them is by launching a man-in-the-middle attack on an insecure wireless network or through a compromised router.
Fortunately, not all Linux systems are affected because some distributions don’t use systemd and even among those that do, not all of them include systemd-resolved. For example, SUSE and openSUSE distributions don’t ship this component and, while Debian 9 (Stretch) includes it, the service is not enabled by default. The previous Debian versions don’t have the vulnerable code at all.
Red Hat rated this vulnerability as important and assigned it a Common Vulnerability Scoring System (CVSS) score of 7.5, but determined that it does not affect the versions of systemd shipped with Red Hat Enterprise Linux 7. Fedora, however, is affected and has issued patches.
Ubuntu, Arch Linux and probably other distributions are also affected. Users should check if they have any updates pending for systemd and should deploy the patches as soon as possible. According to Coulson, the flaw was likely introduced in systemd version 223 in 2015 and affects all versions up to and including 233.
Red Hat is a sponsor of The New Stack.
Feature image via Pixabay.