oss-sec mailing list archives
CVE Request: systemd v209+: local denial-of-service attack
From: Andrew Ayer <agwa () andrewayer name>
Date: Wed, 28 Sep 2016 12:20:02 -0700
systemd[1] fails an assertion in manager_invoke_notify_message[2] when a zero-length message is received over its notification socket. After failing the assertion, PID 1 hangs in the pause system call. It is no longer possible to start and stop daemons or cleanly reboot the system. Inetd-style services managed by systemd no longer accept connections. Since the notification socket, /run/systemd/notify, is world-writable, this allows a local user to perform a denial-of-service attack against systemd. Proof-of-concept: NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" This vulnerability is present in all versions of systemd since at least v209[3]. This has been reported to systemd.[4] [1] https://github.com/systemd/systemd/ [2] https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666 [3] https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325 [4] https://github.com/systemd/systemd/issues/4234
Current thread:
- CVE Request: systemd v209+: local denial-of-service attack Andrew Ayer (Sep 28)
- Re: CVE Request: systemd v209+: local denial-of-service attack cve-assign (Sep 29)