A bug in systemd — an init system used in many Linux distributions to start and manage processes — allows an attacker to crash or take over machines via malicious DNS packets.

Canonical developer Chris Coulson discovered the issue, which is tracked under the identifier of CVE-2017-9445. The vulnerability affects all Linux distros that ship systemd versions between 223 and 233.

Issue exploited via DNS packets

According to Coulson's description of the bug, affected systemd versions allow an attacker to allocate a small buffer size for the processing of DNS packets.

"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," Coulson says.

This "out-of-bounds write" vulnerability allows an attacker to crash a targeted system's systemd daemon, or write data to memory, allowing him to execute code on the target's machine. Skilled attackers can use this flaw to hijack systemd instances, which due to their level of access would allow an attacker to take over the entire machine. All it takes is a malicious DNS packet.

Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.

Patch status

The issue was introduced in the systemd code in June 2015 and is currently unpatched, albeit a fix has been submitted to developers.

Canonical has released updates to Ubuntu 16.10 (Yakkety Yak) and 17.04 (Zesty Zapus) to protect users.

Red Hat said the vulnerability did not affect the versions of systemd shipped with Red Hat Enterprise Linux 7.

Debian said its distros shipped vulnerable versions of systemd, but the systemd-resolved service where the bug lies is not enabled by default, so users are protected unless they tinkered with systemd settings.