Security flaw found in systemd

Chat about Linux in general
User avatar
Schultz
Level 6
Level 6
Posts: 1485
Joined: Thu Feb 25, 2016 8:57 pm

Security flaw found in systemd

Post by Schultz » Sat Oct 27, 2018 6:07 pm

Security flaw found in systemd: article link here:

https://www.theregister.co.uk/2018/10/2 ... hcpv6_rce/

JeremyB
Level 20
Level 20
Posts: 10115
Joined: Fri Feb 21, 2014 8:17 am

Re: Security flaw found in systemd

Post by JeremyB » Sat Oct 27, 2018 6:09 pm

I am glad I have IPv6 disabled then

User avatar
Schultz
Level 6
Level 6
Posts: 1485
Joined: Thu Feb 25, 2016 8:57 pm

Re: Security flaw found in systemd

Post by Schultz » Sat Oct 27, 2018 6:17 pm

How to disable it?

JeremyB
Level 20
Level 20
Posts: 10115
Joined: Fri Feb 21, 2014 8:17 am

Re: Security flaw found in systemd

Post by JeremyB » Sat Oct 27, 2018 6:21 pm

Network Manager settings, IPv6 choose disable/ignore and then there is a way to edit /etc/default/grub and add something to GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" like ipv6.disable=1 inside the quotes

User avatar
Schultz
Level 6
Level 6
Posts: 1485
Joined: Thu Feb 25, 2016 8:57 pm

Re: Security flaw found in systemd

Post by Schultz » Sat Oct 27, 2018 6:25 pm

Why would grub need to be edited?

User avatar
trytip
Level 10
Level 10
Posts: 3264
Joined: Tue Jul 05, 2016 1:20 pm

Re: Security flaw found in systemd

Post by trytip » Sat Oct 27, 2018 6:28 pm

they say this is more of an ipv6 flaw and not so much systemd but still, like JeremyB says i also disabled ipv6 long ago
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html

@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
ps: if you edit etc/default/grub be sure to run sudo update-grub
Image

Pippin
Level 4
Level 4
Posts: 201
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: Security flaw found in systemd

Post by Pippin » Sat Oct 27, 2018 6:31 pm

The grub way is system wide.
"I'm not in this world to live up your expectations, neither are you here to live up to mine.”
F.P. & P.T.

JeremyB
Level 20
Level 20
Posts: 10115
Joined: Fri Feb 21, 2014 8:17 am

Re: Security flaw found in systemd

Post by JeremyB » Sat Oct 27, 2018 6:34 pm

trytip wrote:
Sat Oct 27, 2018 6:28 pm
they say this is more of an ipv6 flaw and not so much systemd but still, like JeremyB says i also disabled ipv6 long ago
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html

@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
ps: if you edit etc/default/grub be sure to run sudo update-grub
Not sure as I just use Network Manager to disable but I tried the grub method and it wasn't much different in results, but not the method you speak of

DAMIEN1307
Level 7
Level 7
Posts: 1557
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: Security flaw found in systemd

Post by DAMIEN1307 » Sat Oct 27, 2018 6:38 pm

hi schultz, heres the procedure to disable IPV6.

Code: Select all

gksudo xed /etc/default/grub
Edit the bold face line that starts as "GRUB_CMDLINE_LINUX_DEFAULT"...by deleting it and putting this one in its place

Code: Select all

 GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
X out and "save" when prompted to do so

Then in terminal

Code: Select all

sudo update-grub


Then: Reboot

Test

Code: Select all

test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
if this comes back with no response, you have succeeded.
ORDO AB CHAO

User avatar
trytip
Level 10
Level 10
Posts: 3264
Joined: Tue Jul 05, 2016 1:20 pm

Re: Security flaw found in systemd

Post by trytip » Sat Oct 27, 2018 7:14 pm

there is no difference if you use

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
or

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
GRUB_CMDLINE_LINUX=""
you get the same result, so i'll leave it as so.
Image

DAMIEN1307
Level 7
Level 7
Posts: 1557
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: Security flaw found in systemd

Post by DAMIEN1307 » Sat Oct 27, 2018 7:26 pm

the only difference is that (GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash") does it all in one step rather than 2 without being confusing.
ORDO AB CHAO

gm10
Level 15
Level 15
Posts: 5958
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security flaw found in systemd

Post by gm10 » Sat Oct 27, 2018 8:15 pm

The actual difference is that the DEFAULT line is not applied for recovery boots. That aside it's all the same.

User avatar
Schultz
Level 6
Level 6
Posts: 1485
Joined: Thu Feb 25, 2016 8:57 pm

Re: Security flaw found in systemd

Post by Schultz » Sat Oct 27, 2018 8:40 pm

In my modem/router setup, I see this IPv6 6rd Tunnel Status: DISABLED.

What is "6rd Tunnel Status"? Does this mean that IPv6 (all of it) is disabled?

gm10
Level 15
Level 15
Posts: 5958
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security flaw found in systemd

Post by gm10 » Sat Oct 27, 2018 8:56 pm

Schultz wrote:
Sat Oct 27, 2018 8:40 pm
In my modem/router setup, I see this IPv6 6rd Tunnel Status: DISABLED.

What is "6rd Tunnel Status"? Does this mean that IPv6 (all of it) is disabled?
No, that just means your ISP is not using https://en.wikipedia.org/wiki/IPv6_rapid_deployment

User avatar
Schultz
Level 6
Level 6
Posts: 1485
Joined: Thu Feb 25, 2016 8:57 pm

Re: Security flaw found in systemd

Post by Schultz » Sat Oct 27, 2018 9:04 pm

Thanks for the info gm10. I don't think IPv6 is enabled anyway in my router; everything else concerning IPv6 is marked "N/A."
But I disabled IPv6 also in grub to be doubly sure.

User avatar
thx-1138
Level 7
Level 7
Posts: 1533
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Security flaw found in systemd

Post by thx-1138 » Sat Oct 27, 2018 10:07 pm

...very theoritically (aka, don't take such seriously),
since the bug is in the way systemd-networkd's dhcpv6 client handles router advertisements,
*maybe* it would be enough to just disable those ones via sysctl than the whole IPv6 stack.

...again, that's a huge *maybe*, left it here merely for the sake of discussion / 'academic reasons' to speak off,
and to be perfectly honest, in case someone knows better & could verify such, and thereby satisfy my own curiosity...
Not that it really matters much on desktop systems: very few people use IPv6 in the first place,
hence disabling it altogether (ipv6.disable=1) is the easiest & most sane option.

User avatar
phd21
Level 18
Level 18
Posts: 8137
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Security flaw found in systemd

Post by phd21 » Sun Oct 28, 2018 12:35 am

Hi Schultz, & Everyone Else,

You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:
Systemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.
Disable IPv6 if its not supported
See #2 & #3 to set priority to "IPv4" (I use #2 & #3)
http://www.blackmoreops.com/2015/08/04/ ... -in-linux/

Another good article on "Disabling IPv6"
http://www.binarytides.com/disable-ipv6-ubuntu/


IPv6 test - IPv6/4 connectivity and speed test
http://ipv6-test.com/


Hope this helps ...
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

redlined
Level 5
Level 5
Posts: 969
Joined: Wed Jun 06, 2018 8:12 pm
Location: Mile High, Green State! (Denver, CO;)

Re: Security flaw found in systemd

Post by redlined » Sun Oct 28, 2018 5:22 pm

DAMIEN1307 wrote:
Sat Oct 27, 2018 6:38 pm
Test

Code: Select all

test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
if this comes back with no response, you have succeeded.
before reboot:

Code: Select all

anyuser@OEMTUFFBOOK:~$ test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
Running kernel is IPv6 ready
anyuser@OEMTUFFBOOK:~$ 
after reboot:

Code: Select all

anyuser@OEMTUFFBOOK:~$ test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
anyuser@OEMTUFFBOOK:~$ 
very nice, thanks for the test code DAMIEN1307!

since I've done this grub update (already had done sysctl.conf edit months back) will the issue of apps/programs trying ip6 go away since system is loaded with no ip6 support now, or is it advisable to add to comment out the ip6 lines in etc/hosts as well?
from trytip's mention and link:

Code: Select all

# comment these IPv6 hosts
# ::1     ip6-localhost ip6-loopback
# fe00::0 ip6-localnet
# ff00::0 ip6-mcastprefix
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
LM19.1 Cinnamon 4.0.9, kernel 4.18.0-15 x86_64
HP15 Laptop: 2Ghz Celeron quad core, 1TB 860 Evo SSD, 8GB Timetec RAM

My go to sites, besides this forum:
(start here! - EasyLinuxTips project then go Learn Linux-fu!

User avatar
Pjotr
Level 20
Level 20
Posts: 11735
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Security flaw found in systemd

Post by Pjotr » Sun Oct 28, 2018 5:34 pm

phd21 wrote:
Sun Oct 28, 2018 12:35 am
Hi Schultz, & Everyone Else,

You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:
Systemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.
Exactly. I expect a fix (level 4) for Mint 19 / Ubuntu 18.04 within days.

Security flaws are being discovered, and fixed, on an almost daily basis. That's why we get those frequent security updates.... :mrgreen:

So: no worries, mates. Business as usual.
Tip: 10 things to do after installing Linux Mint 19.1 Tessa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
Schultz
Level 6
Level 6
Posts: 1485
Joined: Thu Feb 25, 2016 8:57 pm

Re: Security flaw found in systemd

Post by Schultz » Sun Oct 28, 2018 8:41 pm

Pjotr wrote:
Security flaws are being discovered, and fixed, on an almost daily basis.
That's true, but are we to see this more often since systemd seems to be hooked into just about everything? (I don't mean that in a carte blanche way, so nobody jump all over me about it.)

Post Reply

Return to “Chat about Linux”