Skip to main content

CVE-2019-6454 - systemd vulnerability allowing possible denial of service

James Holt
  • Updated

What is the vulnerability?

On February 18th, 2019 Chris Coulson, of Ubuntu Security, notified the oss-sec mailing list that a vulnerability existed within the systemd core Linux package that was capable of causing a full system crash, or potentially a denial-of-service situation. At the heart of this issue is the ability to send a “specially crafted D-Bus message on the system bus” and overflowing the stack pointer to an unmapped page, thus causing systemd to crash, and result in a kernel panic.

This vulnerability is tracked as CVE-2019-6454 and applies to virtually every current Linux desktop or server distribution, including CentOS*, Ubuntu, Fedora, Debian, etc. For your convenience, we are including a list of additional distribution-specific links at the bottom of this article. *For clarification purposes, systemd was not adopted by CentOS until version 7.

It should be noted while most CVE pages credit Chris Coulson in relation to this CVE, the first identified reporter of this issue according to the Red Hat Bug page was Andrej Nemec, Software Engineer for Red Hat.

What is systemd?

The system and service manager known as systemd is a part of a Linux software package/suite that that runs at the core of several Linux distributions. For systems administrators, systemd provides important features such as on-demand daemon execution, process tracking, management of disk mounting and automatic mount point maintenance, system configuration utilities, a system logging daemon, and other critical functions. As the core system service, systemd runs as PID #1 with the rest of the Linux system building off of this process. Therefore it is no great surprise that a flaw in this process could have absolutely critical significance to any system.

Kernel_Panic.png

According to its ArchLinux package tracking page, systemd has had 12 vulnerabilities reported in the 9 years since it’s release. Understandably, there is a growing sentiment that systemd should be abandoned or replaced. Linux.com argues that systemd is here to stay, but notes that to a lot of Linux users, it never needed to be created in the first place. This debate is not related to this issue, however, so we’ll skip getting involved in a long narrative about the great “Linux Divide.” If, however, this sort of discussion is attractive to you, we can recommend the following articles for further reading about systemd’s history and origin story:

Who should be concerned?

Since 2015, systemd has been considered the de facto standard for all Linux distributions. This includes both users of Linux Desktop distributions, such as Fedora and Ubuntu, and also Linux server distributions such as CentOS and Debian.

As such, this vulnerability may affect a large majority of the Linux user base and should be considered a matter of high importance.

What should I do?

Cozaq recommends an immediate update to all systems as soon as your distribution provider supplies one, and provides the following list of related publications for your convenience.

Related publications

 

 

 

Powered by Zendesk