The systemd-journald service has been found to be affected by two dangerous vulnerabilities that are tracked in the CVE-2018-16865 and CVE-2018-16866 advisories. By exploiting them, computer criminals can manipulate the memory and take over control of the machines. Nowadays sytemd-journald is one of the key components of most modern Linux systems. This is the reason everyone must apply all software patches to make sure that they are protected against possible attacks.
Systemd-journald Under Threat, Proof-of-Concept Exploit Available
A serious issue has just been reported to affect one of the key components of most Linux systems today — the systemd journal service which is called systemd-journald. This is the logging service used by systemd, its main task is to collect and store login date by maintaining a structured journal. It can interact with a variety of sources including such as the following:
- Kernel log messages, via kmsg
- Simple system log messages
- Structured system log messages via the native Journal API
- Standard output and standard error of service units
- Audit records, originating from the kernel audit subsystem
As such any vulnerabilities that affect the service can cause serious damage to the victim machines. The first vulnerability in question is CVE-2018-16865 and it is described as the following:
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.
It is still undergoing analysis and it poses a direct threat to vulnerable computers. Practically any malicious code, whether it is a script or a standalone program that can interact with the computer in this way can crash the machine. The other malicious actions is to directly execute malware code with journald privileges.
The second exploit allows for memory exposure and is tracked in CVE-2018-16866 which is posted with the following decsription:
An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ‘:’. A local attacker can use this flaw to disclose process memory data.
Successful exploitation once again relies on local malicious code that is to be run. An easy way is to do this automatically via a payload dropped by a virus. There are many ways to cause the system disruption using these two weaknesses and all users are advised to update their systems as soon as possible to prevent any abuse.