Security flaw found in systemd

[Schultz]

Security flaw found in systemd: article link here:

https://www.theregister.co.uk/2018/10/2 ... hcpv6_rce/

[JeremyB]

I am glad I have IPv6 disabled then

[Schultz]

How to disable it?

[JeremyB]

Network Manager settings, IPv6 choose disable/ignore and then there is a way to edit /etc/default/grub and add something to GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" like ipv6.disable=1 inside the quotes

[Schultz]

Why would grub need to be edited?

[trytip]

they say this is more of an ipv6 flaw and not so much systemd but still, like JeremyB says i also disabled ipv6 long ago
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html

@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"

ps: if you edit etc/default/grub be sure to run sudo update-grub

[Pippin]

The grub way is system wide.

[JeremyB]

they say this is more of an ipv6 flaw and not so much systemd but still, like JeremyB says i also disabled ipv6 long ago
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html

@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"

ps: if you edit etc/default/grub be sure to run sudo update-grub

Not sure as I just use Network Manager to disable but I tried the grub method and it wasn't much different in results, but not the method you speak of

[DAMIEN1307]

hi schultz, heres the procedure to disable IPV6.

Code: Select all

gksudo xed /etc/default/grub

Edit the bold face line that starts as "GRUB_CMDLINE_LINUX_DEFAULT"...by deleting it and putting this one in its place

Code: Select all

 GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

X out and "save" when prompted to do so

Then in terminal

Code: Select all

sudo update-grub

Then: Reboot

Test

Code: Select all

test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"

if this comes back with no response, you have succeeded.

[trytip]

there is no difference if you use

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"

or

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
GRUB_CMDLINE_LINUX=""

you get the same result, so i'll leave it as so.

[DAMIEN1307]

the only difference is that (GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash") does it all in one step rather than 2 without being confusing.

[gm10]

The actual difference is that the DEFAULT line is not applied for recovery boots. That aside it's all the same.

[Schultz]

In my modem/router setup, I see this IPv6 6rd Tunnel Status: DISABLED.

What is "6rd Tunnel Status"? Does this mean that IPv6 (all of it) is disabled?

[gm10]

In my modem/router setup, I see this IPv6 6rd Tunnel Status: DISABLED.

What is "6rd Tunnel Status"? Does this mean that IPv6 (all of it) is disabled?

No, that just means your ISP is not using https://en.wikipedia.org/wiki/IPv6_rapid_deployment

[Schultz]

Thanks for the info gm10. I don't think IPv6 is enabled anyway in my router; everything else concerning IPv6 is marked "N/A."
But I disabled IPv6 also in grub to be doubly sure.

[thx-1138]

...very theoritically (aka, don't take such seriously),
since the bug is in the way systemd-networkd's dhcpv6 client handles router advertisements,
*maybe* it would be enough to just disable those ones via sysctl than the whole IPv6 stack.

...again, that's a huge *maybe*, left it here merely for the sake of discussion / 'academic reasons' to speak off,
and to be perfectly honest, in case someone knows better & could verify such, and thereby satisfy my own curiosity...
Not that it really matters much on desktop systems: very few people use IPv6 in the first place,
hence disabling it altogether (ipv6.disable=1) is the easiest & most sane option.

[phd21]

Hi Schultz, & Everyone Else,

You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.

Disable IPv6 if its not supported
See #2 & #3 to set priority to "IPv4" (I use #2 & #3)
http://www.blackmoreops.com/2015/08/04/ ... -in-linux/

Another good article on "Disabling IPv6"
http://www.binarytides.com/disable-ipv6-ubuntu/


IPv6 test - IPv6/4 connectivity and speed test
http://ipv6-test.com/


Hope this helps ...

[redlined]

Test

Code: Select all

test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"

if this comes back with no response, you have succeeded.

before reboot:

Code: Select all

anyuser@OEMTUFFBOOK:~$ test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
Running kernel is IPv6 ready
anyuser@OEMTUFFBOOK:~$ 

after reboot:

Code: Select all

anyuser@OEMTUFFBOOK:~$ test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
anyuser@OEMTUFFBOOK:~$ 

very nice, thanks for the test code DAMIEN1307!

since I've done this grub update (already had done sysctl.conf edit months back) will the issue of apps/programs trying ip6 go away since system is loaded with no ip6 support now, or is it advisable to add to comment out the ip6 lines in etc/hosts as well?
from trytip's mention and link:

Code: Select all

# comment these IPv6 hosts
# ::1     ip6-localhost ip6-loopback
# fe00::0 ip6-localnet
# ff00::0 ip6-mcastprefix
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters

[Pjotr]

Hi Schultz, & Everyone Else,

You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.

Exactly. I expect a fix (level 4) for Mint 19 / Ubuntu 18.04 within days.

Security flaws are being discovered, and fixed, on an almost daily basis. That's why we get those frequent security updates....

So: no worries, mates. Business as usual.

[Schultz]

Pjotr wrote:
Security flaws are being discovered, and fixed, on an almost daily basis.

That's true, but are we to see this more often since systemd seems to be hooked into just about everything? (I don't mean that in a carte blanche way, so nobody jump all over me about it.)