Three vulnerabilities in a component of system have been discovered by researchers at Qualys. The vulnerabilities are CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, and patches addressing them are already available.
More specifically, they were were discovered in systemd-journald, which is a part of systemd that handles the collection and storage of log data. The first two vulnerabilities are memory corruption flaws, and the third one is an out-of-bounds error that can leak data.
The patches should appear in distro repositories thanks to a coordinated disclosure. It should be noted, though, that depending on the installed version, Debian is still vulnerable, researchers say.
CVE-2018-16864, CVE-2018-16865, CVE-2018: Technical Overview
CVE-2018-16864 and CVE-2018-16865 are memory corruption vulnerabilities, and CVE-2018-16866, is an information leak (an out-of-bounds read) flaw.
CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). Qualys researchers developed a proof of concept for the flaw that gains eip control on i386, as explained the official security advisory.
As for CVE-2018-16865, the flaw was discovered in December 2011 (systemd v38). It became exploitable in April 2013 (systemd v201). Finally, CVE-2018-16866 was introduced in June 2015 (systemd v221) and was “inadvertently fixed” in August 2018.
The researchers developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. The exploit is supposed to be published in the future.
Qualys believes that all systemd-based Linux distributions are vulnerable. However, SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable. The reason is that their user space is compiled with GCC’s -fstack-clash-protection.
In a phone conversation with The Register, Jimmy Graham, director of product management at Qualys, said that “they’re all aware of the issues” and patches are being rolled out.
It’s important to note that CVE-2018-16864 can be exploited by malware running on a Linux box, or a malicious logged-in user. As a result, the systemd-journald system service can be crashed and hijacked, and could lead to root access. The other two flaws can be exploited together in a local attack where the malicious user is able to crash or hijack the journal service with root privileges.