DNS exploit of Systemd

Chat about Linux in general
User avatar
Spearmint2
Level 16
Level 16
Posts: 6893
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

DNS exploit of Systemd

Post by Spearmint2 »

How dangerous is this in normal use by Linux users? Wouldn't you need to have your DNS settings to make request from the "evil DNS" computer? Most have their DNS set to either their ISP supplied DNS, or to Google's.
This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year. Of course, systemd-resolved must be running on your system for it to be vulnerable. The bug is present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: DNS exploit of Systemd

Post by Fred Barclay »

This is the first I've heard of it, but according to the article the entire problem is dependent on systemd-resolved being installed:
Of course, systemd-resolved must be running on your system for it to be vulnerable.
You can check if systemd-resolved is present on your system with

Code: Select all

$ dpkg -l | grep systemd-resolved
It's not here on my LMDE 2 computer. :D

EDIT: useful links
http://openwall.com/lists/oss-security/2017/06/27/8

According to the Ubuntu report, only 16.10 and 17.04 are vulnerable:
https://www.ubuntu.com/usn/usn-3341-1/
Since Mint is based on Ubuntu 14.04 and 16.04, we should be fine.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
User avatar
chrisuk
Level 5
Level 5
Posts: 592
Joined: Thu Jun 12, 2008 6:16 am

Re: DNS exploit of Systemd

Post by chrisuk »

Fred Barclay wrote:[...]

It's not here on my LMDE 2 computer. :D
[...].
Not on my LMDE2 boxes either ;) (or MX Linux... might be on Sparky, I'll check later)
Chris

Manjaro MATE - MX Linux - LMDE MATE
User avatar
Schultz
Level 7
Level 7
Posts: 1957
Joined: Thu Feb 25, 2016 8:57 pm

Re: DNS exploit of Systemd

Post by Schultz »

Fred, ran the command you gave, and it didn't tell me anything. Does that mean I have it? Is Mint 18.2 safe?
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: DNS exploit of Systemd

Post by Fred Barclay »

Schultz wrote:Fred, ran the command you gave, and it didn't tell me anything. Does that mean I have it? Is Mint 18.2 safe?
If it's "silent" then you don't have it installed and should be safe (to the best of my knowledge).

dpkg -l lists all your installed packages
Piping the output through grep systemd-resolve means that the output of the first part is searched for the word "systemd-resolve"
If it's not installed, it won't be in the list of installed packages and so nothing will be displayed.

Compare it, for instance, to the output of dpkg -l | grep firefox.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
User avatar
Schultz
Level 7
Level 7
Posts: 1957
Joined: Thu Feb 25, 2016 8:57 pm

Re: DNS exploit of Systemd

Post by Schultz »

Thanks Fred. Looks like my system's safe from this.
User avatar
laederlappen
Level 2
Level 2
Posts: 82
Joined: Fri May 19, 2017 11:34 pm
Location: Germany

Re: DNS exploit of Systemd

Post by laederlappen »

Fred Barclay wrote: dpkg -l lists all your installed packages
Piping the output through grep systemd-resolve means that the output of the first part is searched for the word "systemd-resolve"
If it's not installed, it won't be in the list of installed packages and so nothing will be displayed.
There is no "systemd-resolved" package in any ubuntu repository.
systemd-resolved is part of package systemd.


Security Alert / Patch for Ubuntu 17.04 & 16.10
https://lwn.net/Alerts/726645/
User avatar
chrisuk
Level 5
Level 5
Posts: 592
Joined: Thu Jun 12, 2008 6:16 am

Re: DNS exploit of Systemd

Post by chrisuk »

laederlappen wrote:There is no "systemd-resolved" package in any ubuntu repository.
systemd-resolved is part of package systemd.


Security Alert / Patch for Ubuntu 17.04 & 16.10

https://lwn.net/Alerts/726645/
Yeah, assuming this is correct:
This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year.
LMDE2 has version 215 of systemd installed... although it's only there so you have it as an option AFAIK. So even if you use the systemd boot option you should be OK. I've not checked Linux Mint 18, but I'd assume it's also an earlier version of systemd?
Chris

Manjaro MATE - MX Linux - LMDE MATE
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: DNS exploit of Systemd

Post by Fred Barclay »

laederlappen wrote: There is no "systemd-resolved" package in any ubuntu repository.
systemd-resolved is part of package systemd.
Whoops! :oops:
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
User avatar
Schultz
Level 7
Level 7
Posts: 1957
Joined: Thu Feb 25, 2016 8:57 pm

Re: DNS exploit of Systemd

Post by Schultz »

So what do these last few posts mean? Is Mint safe from this exploit or not?
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: DNS exploit of Systemd

Post by Fred Barclay »

Schultz wrote:So what do these last few posts mean? Is Mint safe from this exploit or not?
I'm quite obviously not the most qualified person to answer :shock: but according to the Ubuntu article about this, it's Ubuntu 16.10 and 17.04 that are vulnerable, not Ubuntu 16.04 and 14.04 that Mint 18.x and 17.x are based on, respectively.
https://www.ubuntu.com/usn/usn-3341-1/
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
User avatar
chrisuk
Level 5
Level 5
Posts: 592
Joined: Thu Jun 12, 2008 6:16 am

Re: DNS exploit of Systemd

Post by chrisuk »

https://people.canonical.com/~ubuntu-se ... -9445.html

Scroll to the bottom... Ubuntu 16.04 (hence Mint 18) is vulnerable until updated. Although read the text above by @chrisccoulson, as most won't be affected by it anyway
Chris

Manjaro MATE - MX Linux - LMDE MATE
User avatar
Spearmint2
Level 16
Level 16
Posts: 6893
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: DNS exploit of Systemd

Post by Spearmint2 »

Fred Barclay wrote:This is the first I've heard of it, but according to the article the entire problem is dependent on systemd-resolved being installed:
Of course, systemd-resolved must be running on your system for it to be vulnerable.
You can check if systemd-resolved is present on your system with

Code: Select all

$ dpkg -l | grep systemd-resolved
It's not here on my LMDE 2 computer. :D
EDIT: useful links
http://openwall.com/lists/oss-security/2017/06/27/8
According to the Ubuntu report, only 16.10 and 17.04 are vulnerable:
https://www.ubuntu.com/usn/usn-3341-1/
Since Mint is based on Ubuntu 14.04 and 16.04, we should be fine.
I just ran your code and got nothing, so guess it's not installed. I also ran the following, which indicated it wasn't installed and at least my 17.2 is using Upstart.

systemd

Code: Select all

aptitude show systemd
Package: systemd                         
New: yes
State: not installed
Version: 204-5ubuntu20.24
upstart

Code: Select all

aptitude show upstart
Package: upstart                         
State: installed
Automatically installed: no
Multi-Arch: foreign
Version: 1.12.1-0ubuntu4
The odd thing is, when I run a search for all "systemd" files in the system, it gets 102 hits with that in the filenames. Eight are listed "executable", 15 are shell scripts, the majority of others are "plain text" and Gzip files.

Some interesting articles on systemd I found.

February 14, 2014
http://www.zdnet.com/article/after-linu ... t-systemd/

Oct 31, 2014
http://www.pcworld.com/article/2841873/ ... r-you.html

September 19, 2014
http://www.zdnet.com/article/linus-torv ... s-systemd/

I don't want to be in a fight with those on both sides of the argument on differing init controlling/interfacing programs, but did want to point out this vulnerability I ran across in that recent article.
Last edited by Spearmint2 on Thu Jun 29, 2017 2:59 pm, edited 2 times in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
User avatar
greerd
Level 6
Level 6
Posts: 1056
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: DNS exploit of Systemd

Post by greerd »

On my fully updated 18.1 cinnamon,

Code: Select all

~ $ systemd --version
systemd 229
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN
so the version is vulnerable
but

Code: Select all

~ $ sudo systemctl list-unit-files |grep resolv
systemd-networkd-resolvconf-update.path    static  
dbus-org.freedesktop.resolve1.service      disabled
resolvconf.service                         enabled 
systemd-networkd-resolvconf-update.service static  
systemd-resolved.service                   disabled
shows that 'systemd-resolved.service' is not loaded, its still using 'resolvconf.service', so I think that unless you manually switch the services, your not vulnerable. Does that make sense?
altair4
Level 20
Level 20
Posts: 10139
Joined: Tue Feb 03, 2009 10:27 am

Re: DNS exploit of Systemd

Post by altair4 »

greerd wrote:... shows that 'systemd-resolved.service' is not loaded, its still using 'resolvconf.service', so I think that unless you manually switch the services, your not vulnerable. Does that make sense?
It does indeed make sense and it was just what was mentioned in the link posted earlier:
Notes
chrisccoulson> I believe this was introduced in v223 by
https://github.com/systemd/systemd/comm ... 138538db37
chrisccoulson> systemd-resolved is not used by default in Xenial. It is
spawned if a user execs the systemd-resolve utility, but that shouldn't
impact the system.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
User avatar
Spearmint2
Level 16
Level 16
Posts: 6893
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: DNS exploit of Systemd

Post by Spearmint2 »

Of interest for us Mint users.
And recently, both Debian and Ubuntu has announcedthat they will be switching to systemd, which will bring derivates like Mint with them. (The discussion document for Debian is a very interesting read on systemd and highly recommended.
I checked to see what if any systemd was being run by root on my 17.2 Mint system.

Code: Select all

ps -U root -u root |grep systemd
  369 ?        00:00:00 systemd-udevd
  994 ?        00:00:00 systemd-logind
Well, looks like I'm safe,....sorry about everyone else... :mrgreen: :lol:
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
mike acker
Level 6
Level 6
Posts: 1497
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: DNS exploit of Systemd

Post by mike acker »

from the essay on The Hacker News
Eventually, large DNS response overflows the buffer, allowing an attacker to overwrite the memory which leads to remote code execution.
this will need two mistakes: (1) letting input create a buffer-overflow, and (2) having critical code not on a PAX (READ|EXECUTE) page.
¡Viva la Resistencia!
User avatar
Portreve
Level 10
Level 10
Posts: 3102
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida

Re: DNS exploit of Systemd

Post by Portreve »

Fred Barclay wrote::oops:
It's ok, Fred. None of us know everything. 8)

It's probably unlikely that we'll ever actually meet in real life, but I'll still buy you a beer for the help you've given me in the past if we ever did.
Please remember to mark your fixed problem [SOLVED].

Running Linux Mint Cinnamon 20.0.

Those who can make you believe absurdities can make you commit atrocities.
— Voltaire
jazz.h
Level 4
Level 4
Posts: 318
Joined: Sat Jun 18, 2011 7:13 am

Re: DNS exploit of Systemd

Post by jazz.h »

Spearmint2 wrote:

Code: Select all

ps -U root -u root |grep systemd
  369 ?        00:00:00 systemd-udevd
  994 ?        00:00:00 systemd-logind
Well, looks like I'm safe,....sorry about everyone else... :mrgreen: :lol:
I got the same result, so I'm safe?
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: DNS exploit of Systemd

Post by Fred Barclay »

Portreve wrote:
Fred Barclay wrote::oops:
It's ok, Fred. None of us know everything. 8)
Haha, thanks mate. :mrgreen:
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Post Reply

Return to “Chat about Linux”