Linux users, beware. A number of Linux distros are at risk due to a bug in systemd. The flaw is located in systemd’s DNS resolver and could lead to denial-of-service (DoS) attacks on affected systems, TrendMicro researchers warn. The vulnerability is identified as CVE-2017-15908:
In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the ‘systemd-resolved’ service and cause a DoS of the affected service.
Shortly said, systemd is an init system used in most Linux distributions to bootstrap the user space and manage all processes subsequently, instead of the UNIX System V or Berkeley Software Distribution (BSD) init systems. The name systemd follows the Unix convention of naming daemons by appending the letter d.
CVE-2017-15908 Explained – How It Is Triggered
Apparently, there are many ways to get the user to query a DNS server under the control of a hacker. The easiest way to do this however is to make the user visit a hacker-controlled domain, TrendMicro explains. This is done by implementing social engineering techniques or with the help of specific malware.
CVE-2017-15908 was discovered in July and was reported to the corresponding vendors almost immediately. Interestingly, independent researchers discovered the same flaw in October and reported it to Canonical. Fixes were quickly released to the affected Linux distros. Researchers say that no attacks against this flaw have been registered in the wild.
As for the flaw itself, it stems from the processing of the bits that represent pseudo-types in the NSEC bitmap.
Mitigation Against CVE-2017-15908
Fortunately, there are fixes already available for this flaw. It is highly recommended that the patches are applied as soon as possible. System admins can also opt to block potentially malicious packets manually. As advised by researchers, DNS responses should be checked to see if they contain resource records as specified in section 4 of RFC 4034.
Another systemd vulnerability that could lead to a denial-of-service attack was discovered in Linux in October 2016. As reported back then, the bug had the potential to kill a number of critical commands, in the meantime making others unstable just by inserting the NOTIFY_SOCKET=/run/systemd/notify systemd-notify “” command.
The bug was quite serious, as it allowed any local user to trivially perform a denial-of-service attack against a critical system component”.