Admins and DevOps working with Linux machines will want to keep an eye out for patches for a trio of security vulnerabilities affecting systemd, the system and service manager that's primarily tasked with deciding what programs run when Linux boots. Specifically, the vulnerabilities are in systemd-journald, which collects and stores logging data. All of the exploits can be used to give a local user root access.
Linux's systemd was first introduced in 2011 into Fedora. By 2015, nearly all other Linux distributions had adopted it as well. The software suite has been controversial since its introduction, however, with critics saying it's overly complex and that its architecture violates a prime principle of Unix-like operating systems, that systems should "do one thing and do it well."
Although the noise generated by systemd naysayers has died down in recent years, news of bugs or security issues, even when relatively minor, tend to restart the discussion on sites like Reddit or Slashdot to some degree.
The latest batch of security flaws were discovered and made public last week by the security firm Qualys, which said the vulnerability can be exploited in all systemd-based Linux distributions with the exception of SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29, all of which compile user space with GCC's -fstack-clash-protection which prevents stack clash, a stack overflow variation.
The researchers discovered the first of these bugs -- CVE-2018-16864, a memory corruption bug -- while working on another Linux security hole. They found that by passing several megabytes of command-line arguments to a program that calls syslog(), they could get journald to crash. This could be used by a local attacker to escalate privileges to gain root access.
While working on a proof of concept for this bug, the security company said, "we discovered two different vulnerabilities (CVE-2018-16865, another attacker-controlled alloca(), and CVE-2018-16866, an information leak) that are reliably exploitable on both i386 and amd64."
Qualys has developed an exploit that takes advantage of both of the later two bugs to obtain a root shell in about 10 minutes on i386 machines and 70 minutes on equipment running amd64. The company said it will publish the exploit in the near future.
Red Hat, which maintains Linux's systemd, has issued patches for CVE-2018-16864 and CVE-2018-16865 and has given the exploits an "Important" impact rating with severity ratings of 7.4 and 7.5. These patches should be available soon, if not already, for most Linux distributions. Because it's not considered to be easy to exploit on its own, CVE-2018-16866 has been assigned an impact rating of "Moderate," with a severity rating of 4.3.