Critical Vulnerabilities Discovered in Systemd Could Allow Privilege Escalation for Linux Systems
Recent security research has unveiled three significant vulnerabilities affecting Systemd, the widely used init system and service manager for various Linux distributions. These security flaws pose a serious risk by enabling unprivileged local attackers or malware to gain root access to the systems, potentially compromising sensitive data and system integrity.
The vulnerabilities, identified as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, reside within the “systemd-journald” service, which is responsible for collecting log data from multiple sources and managing event logs. This discovery was reported by the security specialists at Qualys, who have emphasized the far-reaching implications for all Systemd-based Linux environments, which include prominent distributions like Red Hat and Debian.
However, it’s noteworthy that certain Linux distributions, such as SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora versions 28 and 29, are exempt from these vulnerabilities. The protection for these systems is attributed to their userspace code being compiled with GCC’s -fstack-clash-protection, mitigating the threat.
The first two vulnerabilities involve memory corruption issues, which are fundamentally critical, while the third, CVE-2018-16866, entails an out-of-bounds read in systemd-journald capable of leaking sensitive process memory. Qualys researchers have successfully generated proof-of-concept exploits for these vulnerabilities, with plans to release them shortly. Notably, their findings indicate that an exploit for CVE-2018-16865 and CVE-2018-16866 could potentially provide a local root shell within approximately ten minutes on an i386 architecture and 70 minutes on an amd64.
CVE-2018-16864 bears similarity to a Stack Clash vulnerability previously identified by the same team in 2017, which allows attackers or malware to escalate their permissions to root. The researchers noted that this vulnerability has been part of Systemd’s codebase since April 2013 and became exploitable by February 2016. In contrast, CVE-2018-16865 has its origins in December 2011, becoming a risk in April 2013. The last vulnerability, introduced in June 2015, was reportedly “inadvertently fixed” in August 2018.
For organizations utilizing vulnerable Linux systems, it is crucial to monitor the latest updates released by their respective Linux distributions and implement patches as soon as they become available. Failure to do so may expose sensitive operational data to exploitation by malicious entities.
In summarizing the possible tactics employed in these vulnerabilities using the MITRE ATT&CK framework, potential adversary techniques for these incidents could include initial access through exploitation of existing system weaknesses, followed by privilege escalation via the identified vulnerabilities. Organizations should remain vigilant and proactive in their cybersecurity measures to mitigate the risks associated with such vulnerabilities.