Skip to main content

Linuxs Systemd Vulnerable to Malicious DNS

The Systemd init system used by many popular Linux distributions has been found to be vulnerable to a memory corruption vulnerability which can be exploited by a malicious DNS server to perform remote code execution on a vulnerable device.
Threat ID:
CC-1506
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Published:
6 July 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The Systemd init system used by many popular Linux distributions has been found to be vulnerable to a memory corruption vulnerability which can be exploited by a malicious DNS server to perform remote code execution on a vulnerable device.

Threat details

Systemd is used in Linux distributions and is described as a system and service manager that handles the starting of processes and daemons both manually and at boot time amongst other things. Adoption of the system has increased over the past few years and is now installed as standard in many of the leading Linux distributions such as Ubuntu, Red Hat and more.

The vulnerability itself is found specifically within the Resolved component of Systemd. Resolved is a DNS resolver component that is used to provide name resolution to services and local applications.

A successful attack would require a malicious DNS server to send a crafted response to a request made by a vulnerable device. The vulnerable client is fooled into reserving a smaller memory space than is required to store the response. The response overflows the reserved memory space and results in memory becoming corrupted outside of the intended location.

Memory corruption issues such as this can have a wide ranging impact on a vulnerable device from simply causing the service to crash right through to remote code execution.

Remediation steps

Type Step
  • Monitor distribution-specific information portals for exploit-ability against distributions in use across the estate.
  • Ensure the Systemd-resolved package is updated across all identified vulnerable devices.
  • Ensure host and network based intrusion systems are in place with definitions in place able to detect attempted attacks against this vulnerability.

Last edited: 17 February 2020 11:33 am