Date: Wed, 28 Sep 2016 12:20:02 -0700 From: Andrew Ayer <agwa@...rewayer.name> To: oss-security@...ts.openwall.com Subject: CVE Request: systemd v209+: local denial-of-service attack systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over its notification socket. After failing the assertion, PID 1 hangs in the pause system call. It is no longer possible to start and stop daemons or cleanly reboot the system. Inetd-style services managed by systemd no longer accept connections. Since the notification socket, /run/systemd/notify, is world-writable, this allows a local user to perform a denial-of-service attack against systemd. Proof-of-concept: NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" This vulnerability is present in all versions of systemd since at least v209. This has been reported to systemd.  https://github.com/systemd/systemd/  https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666  https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325  https://github.com/systemd/systemd/issues/4234
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ