What is the vulnerability?
On February 18th, 2019 Chris Coulson, of Ubuntu Security, notified the oss-sec mailing list that a vulnerability existed within the systemd core Linux package that was capable of causing a full system crash, or potentially a denial-of-service situation. At the heart of this issue is the ability to send a “specially crafted D-Bus message on the system bus” and overflowing the stack pointer to an unmapped page, thus causing systemd to crash, and result in a kernel panic.
This vulnerability is tracked as CVE-2019-6454 and applies to virtually every current Linux desktop or server distribution, including CentOS*, Ubuntu, Fedora, Debian, etc. For your convenience, we are including a list of additional distribution-specific links at the bottom of this article. *For clarification purposes, systemd was not adopted by CentOS until version 7.
It should be noted while most CVE pages credit Chris Coulson in relation to this CVE, the first identified reporter of this issue according to the Red Hat Bug page was Andrej Nemec, Software Engineer for Red Hat.
What is systemd?
The system and service manager known as systemd is a part of a Linux software package/suite that that runs at the core of several Linux distributions. For systems administrators, systemd provides important features such as on-demand daemon execution, process tracking, management of disk mounting and automatic mount point maintenance, system configuration utilities, a system logging daemon, and other critical functions. As the core system service, systemd runs as PID #1 with the rest of the Linux system building off of this process. Therefore it is no great surprise that a flaw in this process could have absolutely critical significance to any system.
According to its ArchLinux package tracking page, systemd has had 12 vulnerabilities reported in the 9 years since it’s release. Understandably, there is a growing sentiment that systemd should be abandoned or replaced. Linux.com argues that systemd is here to stay, but notes that to a lot of Linux users, it never needed to be created in the first place. This debate is not related to this issue, however, so we’ll skip getting involved in a long narrative about the great “Linux Divide.” If, however, this sort of discussion is attractive to you, we can recommend the following articles for further reading about systemd’s history and origin story:
- Linux.com - Understanding and Using Systemd
- Debian.org - systemd
- Wikipedia - systemd
- Freedesktop.org - systemd System and Service Manager
- TecMint - The Story Behind ‘init’ and ‘systemd’: Why ‘init’ Needed to be Replaced with ‘systemd’ in Linux
- without-systemd.org
Who should be concerned?
Since 2015, systemd has been considered the de facto standard for all Linux distributions. This includes both users of Linux Desktop distributions, such as Fedora and Ubuntu, and also Linux server distributions such as CentOS and Debian.
As such, this vulnerability may affect a large majority of the Linux user base and should be considered a matter of high importance.
What should I do?
Cozaq recommends an immediate update to all systems as soon as your distribution provider supplies one, and provides the following list of related publications for your convenience.
Related publications
- Original CVE-2019-6454 notification credited to Chris Coulson of Ubuntu Security:
- Seclists.org - https://seclists.org/oss-sec/2019/q1/140
- Openwall - https://www.openwall.com/lists/oss-security/2019/02/18/3
- Red Hat - status: New (Patched in Enterprise Linux 7)
- Red Hat CVE Notice - https://access.redhat.com/security/cve/cve-2019-6454
- Bugzilla source - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6454
- Security Advisory - https://access.redhat.com/errata/RHSA-2019:0368
- Solution - https://access.redhat.com/articles/11258
- CentOS - status: untracked
- CentOS is a product of the Red Hat team and is not tracking separately at this time.
- ArchLinux - status: Testing
- bug ticket - https://bugs.archlinux.org/task/61804
- Debian - status: fixed in stretch (232-25+deb9u9) and jesse (215-17+deb8u10)
- Security Tracker - https://security-tracker.debian.org/tracker/CVE-2019-6454
- Ubuntu - status: Released for 16.01/18.04/18.10; needed for 19.04
- Gentoo - status: IN_PROGRESS