back to article Don't panic, but Linux's Systemd can be pwned via an evil DNS query

Systemd, the Linux world's favorite init monolith, can be potentially crashed or hijacked by malicious DNS servers. Patches are available to address the security flaw, and should be installed ASAP if you're affected. Looking up a hostname from a vulnerable Systemd-powered PC, handheld, gizmo or server can be enough to trigger …

Ohh, so surprised, how could this happen?!?

</irony>

Anyway. Given how this octopus spreads its arm in so many modules, this is probably only the very tiny tip of a very big and cold iceberg.

110
3
Silver badge

"Given how this octopus spreads its arm in so many modules, this is probably only the very tiny tip of a very big and cold iceberg."

Regret I can't give you a second upvote for a glorious mixed metaphor.

48
1
Anonymous Coward

Well I am affected

"Patches are available to address the security flaw, and should be installed ASAP if you're affected."

But what do my mannerisms have to do with it?

20
0

Re: Well I am affected

Given that it is Systemd that is the problem I think the appropriate response would be a gallic shrug.

https://www.youtube.com/watch?v=ubdrDij0x48

14
0
Silver badge

Very warm icebergs are just called water.

10
0
Silver badge
Linux

I use systemd on all the servers I manage, out of choice. I refuse to set up non-systemd server-setups any more, it is just so vastly more pleasant to work with than the alternatives.

So, for me personally, when systemd came along, it solved all the problems I ever had with system initialization. What most systemd critics consider "bloat", I consider necessary complexity to solve a complex problem generically. You can say what you want about Poettering, but he actually realized what the problems with system initialization were and provided a working solution. I could go on for hours, but this should be a good summary.

A lot of the pushback against systemd - merited or not - is because a lot of people in charge of little parts of the bazaar have seen their pet projects cast aside by the major distros and taken over by the systemd devs. In a world where street cred is a big force in motivating people to contribute to open source being maintainer of 'x' where 'x' is part of each and every linux distro out there and then to see 'x' taken over by systemd in a fairly rough manner without any kind of co-operation between the old maintainers and the new kids on the block there are bound to be a lot of ruffled feathers. But that's not technology, that's just ego.

I find amusing that no one here is asking why systemd-resolved was introduced, or what problem was it intended to solve, read this post:

https://lists.ubuntu.com/archives/ubuntu-devel/2016-May/039350.html

8
30
Anonymous Coward

systemd might as well have been written by Microsoft

Everything that is wrong with systemd is down to it M$ style design, it doesn't belong on professional systems anymore than windows does.

Yes, you gain ease of use and fast setup but at the cost of security and stability with the obvious result that you open yourself up to security problems that occur because you let someone else make the decisions you thought weren't as important as getting up and running.

16
2
Silver badge

The pushback against systemd is because it takes what were independent systems and rolls them into a tightly coupled monolith. The independence of those prior systems was their greatest strength - the more independent those systems are, the less opportunity there is to bring down the entire OS by crashing one of those systems.

systemd can claim to be modular all it wants; the fact that you can take down the entire OS via the init with a malicious dns response is a fucking travesty in this day and age. It's the sort of thing that even Windows left behind at the turn of the century.

27
0
Coat

Re: Well I am affected

you Forgot your'e pedents' coat .

1
0
Silver badge

I find amusing that no one here is asking why systemd-resolved was introduced, or what problem was it intended to solve, read this post:

To paraphrase for anyone not wanting to read it: "DNS is probably too complex for you to manage, so we're adding an extra caching resolver to every machine, which simplifies certain desktop configurations".

If I'm going to be treated like a child, I expect milk and cookies at 3pm, and then a nap.

11
0
Bronze badge

Re: I think the appropriate response would be a gallic shrug

Let me provide an analogy. You know, xpdf frequently had code execution vulnerabilities found in it and ultimately was removed from Gentoo in 2014 when another one resurfaced and became the last straw:

https://security.gentoo.org/glsa/201402-17

"Description: Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details.

Resolution: Gentoo has discontinued support for Xpdf. We recommend that users unmerge Xpdf: # emerge --unmerge "app-text/xpdf"

After that, there's no more xpdf in Gentoo. They use mupfd instead. I hope systemd meets the same fate, the sooner the better. Flushing toilet water icon, please.

6
0
Bronze badge

Re: I refuse to set up non-systemd server

Let me fix it for ya, John:

"I use xpdf on all the computers I manage, out of choice. I refuse to set up non-xpdf setups any more, it is just so vastly more pleasant to work with than the alternatives."

(https://security.gentoo.org/glsa/201402-17)

4
1
Anonymous Coward

> I use systemd on all the servers I manage, out of choice.

Yeah, there is always one.

4
0

Ahhh, systemd: The gift that keeps on giving!

Isn't systemd simply a euphemism for "attack surface", these days?

As a FreeBSD user, I wish Lennart Poettering the very best of health, and success in his mission to make Linux a consumer-only operating system that will rival Windows for security flaws and scope creep.

If nothing else, systemd will serve as a stark reminder that it's always good to have a choice of different operating systems, just in case one vendor / development team goes all Dr. Strangelove on us...

4
0
Anonymous Coward

Re: Well I am affected

"But what do my mannerisms have to do with it?"

Yeah!

*Downs a pint and belches*

*Takes off shirt before putting a shelf up*

*Minces off to find a drill*

0
0

I don't follow...

Can you explain to me your rationale for believing that "you can take down the entire OS via the init with a malicious dns response" when systemd-resolved is quite clearly a separate binary from that running as init and has also dropped its privileges and is running as a non-root user?:

# ps | grep init

1 root 7824 S {systemd} /sbin/init ldb

1108 root 2696 S grep init

# readlink -f /sbin/init

/usr/lib/systemd/systemd

# readlink -f /usr/lib/systemd/systemd-resolved

/usr/lib/systemd/systemd-resolved

# ps | grep systemd-resolved

359 systemd- 5816 S /usr/lib/systemd/systemd-resolved

1097 root 2696 S grep systemd-resolved

# cat /etc/passwd | grep systemd-resolve

systemd-resolve:x:231:231:systemd-resolve:/:/bin/nologin

systemd-resolve:x:231:

# cat /etc/group | grep systemd-resolve

systemd-resolve:x:231:

#

0
0
FAIL

Trust a hackers data?

I've always found it odd that systems would enable dns reverse lookups for all sorts of things where it provides no value. I don't trust DNS to give me a valid name if all I have is an IP address.

The whole thing of probing someone's network and have them look up your IP address where you then send TCP packets back to crash their name server or other application has been around since the early 1990s.

7
4
Orv
Bronze badge

Re: Trust a hackers data?

It also adds an unpredictably slow, often blocking process to whatever you're doing. There are situations where it's useful, but almost all of them are better handled in after-the-fact processing by non-privileged code.

However, there are other scenarios where this bug could trigger. For example, if you're using an untrusted network that can intercept your DNS queries.

3
0
Silver badge

Re: Trust a hackers data?

I've always found it odd that systems would enable dns reverse lookups for all sorts of things where it provides no value. I don't trust DNS to give me a valid name if all I have is an IP address.

That's why you also look up the name to see it matches the same IP address, otherwise there's no point, in fact it's worse than no lookup at all if the name is logged instead of the IP.

DNS Double Reverse Lookup

The whole thing of probing someone's network and have them look up your IP address where you then send TCP packets back to crash their name server or other application has been around since the early 1990s.

That's a daft thing to say. If someones name server can be crashed this way, then it is at fault, and needs to be fixed. Nothing to do with DNS lookups, apart from maybe reducing "security by obscurity", which of course is a non-reason.

1
1

Re: Trust a hackers data?

To people who think reverse DNS is a good idea, consider concepts like CNANE loops. Smart DNS servers will catch it but there are plenty of dumb DNS implementations out there. In IPv4 we could send a UDP request out and expect to get a UDP response back but now with IPv6, the packet sizes often exceed the MTU resulting in several packets. Once you get a large chunk of data back, someone at the other end might just be playing games with malformed DNS packets or even just broken DNS settings. What does you application do when you get back thousands names for a reverse lookup? What happens when each lookup results in a chain of CNAMES? What happens when the end of those chains result in hundreds of addresses that are all the same?

DNS isn't authoritative, it is informational. It is great when it doesn't lie to you. But you can't test for when it does.

1
0
Silver badge
Mushroom

If THIS isn't a reason to hate systemd...

IF! THIS! IS! NOT! A! REASON! TO! HATE! SYSTEMD! THEN! THERE! IS! NO! HOPE! FOR! YOU!!!

just sayin'.

43
13

Re: If THIS isn't a reason to hate systemd...

Is systemd made by Yahoo! or something? What's with all the exclaimation marks?

34
0
Gold badge
Coat

"What's with all the exclaimation marks?"

They don't call him "Mr Bombastic" for nothing.

31
0
Silver badge

Re: If THIS isn't a reason to hate systemd...

Getting rid of systemd won't stop buffer overruns. This vulnerability is handy for the systemd haters but the real problem here is coding in a language that allows overruns to happen, isn't it?

14
38
Silver badge

Re: If THIS isn't a reason to hate systemd...

Shhh, just be happy he didn't try and blame this one on Hillary Clinton.

34
4
Silver badge

Re: If THIS isn't a reason to hate systemd...

No, the real problem is systemd is a jack of all trades and a master of none. Thus, bugs like this due to poor quality design and coding.

51
4
Silver badge

Re: If THIS isn't a reason to hate systemd...

Getting rid of systemd won't stop buffer overruns.

No it won't be getting rid of buffer overruns, but something as critical to system operation as systemd simply should never be placed in a position where it can be exposed to this kind of attack, or any kind of remote attack. That's not an "I hate systemd" statement, that's a basic security for kindergarten level lesson.

Fixing these issues is going to be a giant game of wack'o'mole where there is simply no need to expose yourself to danger in the first place. This isn't just a bug it's a fundamental design flaw.

65
0

Re: If THIS isn't a reason to hate systemd...

Yet another rant fuelled by ignorance. list all the software that has never had a bug.

3
49

Re: If THIS isn't a reason to hate systemd...

ALL software has bugs, get over it. Looks like you've never written any software in your life

4
51
Bronze badge
Flame

Re: If THIS isn't a reason to hate systemd...

No, the reason to hate systemd is that Linux already has a bunch of DNS resolvers that are pretty secure. You can pick your favourite.

But systemd must use its own, special, freshly-written one. Because, systemd. So that decision obliges most Linux distros to host a single, new DNS resolver. That is broken.

Unfortunately, this has been the way with systemd for a while. New way of doing things becomes The One, True, Only Way before the code is actually fully finished and tested. And, if bugs are found, or pre-existing features are removed, it is your fault for trying to do whatever you used to do before.

So, yeah, hate. Just been embarrassed in front of a customer by the COMPLETELY UNNECESSARY change to the way that partitions (especially swap) are mounted. Oh, and did you know, that if your machine ceases to boot because of a systemd config error, you can't fix it in the recovery console?

Bah!

77
3
Silver badge

Re: If THIS isn't a reason to hate systemd...

ALL software has bugs, get over it.

It is precisely because all software has bugs that design decisions should be made to limit the impact of those bugs. It's like RAID, all disks are unreliable, eventually the industry twigged that the answer wasn't to make more reliable disks (even though that helped a bit) the answer was to design storage systems where disks dying wasn't a big problem.

When it comes to SW the trick is to make sure that you're not exposed to the risk of bugs unnecessarily. Design your SW so as to limit the impact of the inevitable bugs.

51
0
Silver badge

Re: If THIS isn't a reason to hate systemd...

And that's an argument in favour of a giant monolithic buggy piece of software?

Many things that systemd does are bad copies of stand-alone software with reduced functionality and/or bugs. If it were a stand-alone DNS daemon then you could easily change to another one.

Why would you even want to shove everything in the same process? If it goes down the system is hosed, if it's exploited then all functionality that systemd does is compromised.

51
0
Bronze badge

Re: If THIS isn't a reason to hate systemd...

@ rtfazeberdee

All software has bugs, therefore software like init, which runs as the very first process and with elevated permissions, should be kept as simple as possible.

In contrast, the systemd developers have included a ridiculous amount of functionality into the init process. (process 1). See http://suckless.org/sucks/systemd for an overview. Often for no other stated reason than to "keep the number of processes down".

A traditional init system wouldn't even contain networking code, let alone do reverse DNS lookups.

Consider that it is generally estimated that high-quality code contains one defect every 1000 lines. Consider the size of systemd, all of which is running as the privileged process 1. Weep.

60
1
Silver badge

Re: If THIS isn't a reason to hate systemd...

When it comes to SW the trick is to make sure that you're not exposed to the risk of bugs unnecessarily. Design your SW so as to limit the impact of the inevitable bugs.

It's unclear whether you think that the language should have protected the developer from risks, or that the software should have been composed of more coherent, smaller, and less tightly coupled components.

2
0
Bronze badge

Re: If THIS isn't a reason to hate systemd...

@ Tom 38

> It's unclear whether you think that the language should have protected the developer from risks, or that the software should have been composed of more coherent, smaller, and less tightly coupled components.

I think both. A traditional "init" is written in C but most of the functionality is actually in shell scripts which are invoked by "init". Now shell is messy, but at least it is not vulnerable to buffer overruns. In principle there is nothing stopping you from rewriting the shell scripts in some saner programming language (Python, Ruby, whatever rocks your boat).

Note that dividing the software in smaller blocks also means that you can use an appropriate programming language for each block.

26
0

This post has been deleted by a moderator

Silver badge

Re: All software has bugs

Well, if people would start from the principle espoused by Bertrand Meyer in Object Oriented Software Construction vis-a-vis undefined answers to questions (a principle that goes back much further than the publication of that book I might add) there would be a damned sight fewer stupid ones.

7
0
Silver badge

Re: If THIS isn't a reason to hate systemd...

@ Missing Semicolon

Whilst I agree with the sentiment the article makes it clear that use of the systemd resolver isn't compulsory. Yet. At least not if you use Debian.

4
0

Re: If THIS isn't a reason to hate systemd...

> Fixing these issues is going to be a giant game

This is progress, mind you, as it's surprising the official response wasn't the usual "WONTFIX - upstream DNS is to blame"

19
1
Silver badge
Meh

Re: If THIS isn't a reason to hate systemd...

So systemd provides with an optional module systemd-resolved to do dns caching, Ubuntu uses it to replace dnsmasq, there is a bug in systemd-resolved which affects a small number of distros, notably Ubuntu 17.04 for which a patch does exist...

Oh noes, the end of the world!

2
18
Silver badge
Meh

Re: If THIS isn't a reason to hate systemd...

The ignorance is strong yes, but el reg loves sweet sweet clickbait.

1
17
Silver badge
Meh

Re: If THIS isn't a reason to hate systemd...

>> If it were a stand-alone DNS daemon then you could easily change to another one.

Dude, you can just do that, systemd-resolved is a separate module.

systemd stop systemd-resolved

systemd disable systemd-resolved

systemd mask systemd-resolved

apt update

apt install dnsmasq

I guess this is the 21st century version of the peasants with pitchforks.

6
16
Silver badge

Re: If THIS isn't a reason to hate systemd...

A security vulnerability isn't reason enough to hate anything. I am skeptical of systemd because it goes against the Unix philosophy of a series of simple modules that each do one task really well, which is part of what has made Unix and Unix-like OSes endure for decades, but that's the neat thing about open source: No one forces any of the other projects or distro maintainers to use it. Most of them seem to be headed that way, though... in some cases, it's because the upstream has already made the decision, but within that upstream bunch are a lot of people that have a lot of passion for their projects that know a ton more than I do about Linux, and they are going systemd and PulseAudio.

Personally, I have never had any of the audio difficulties PulseAudio is supposed to cause, and Mint seems to be the same whether I select a systemd boot or an Upstart (though it does boot a little faster with systemd; Windows 8.1 trounces them both, even with the Windows fast boot disabled... not that I really care much, as I reboot pretty rarely).

It's pretty clear that Microsoft is dedicated to destroying Windows, and I will never migrate to 10 if it even somewhat resembles the mess it currently is (and it's pretty clear that MS is dedicated to making sure it remains an unusable crapfest), so Linux clearly is it. The local OS won't even matter if everything moves to "the cloud" and webapps as the prognosticators claim. I just hope to have a usable browser after Mozilla's upcoming suicide later this year so that I can use all that stuff. Firefox and FF derivatives are the only browsers in existence for the PC that I consider usable at the moment (there are none on Android, as far as I am concerned).

6
0

This post has been deleted by its author

Re: If THIS isn't a reason to hate systemd...

> Unfortunately, this has been the way with systemd for a while.

> New way of doing things becomes The One, True, Only Way before the

> code is actually fully finished and tested. And, if bugs are found, or

> pre-existing features are removed, it is your fault for trying to do whatever you

> used to do before.

That's not unique to systemd, that's Linux in general. Every time I upgrade my Mythbuntu setup to a new release I have to learn at least one new way of doing something that was working perfectly well before. I think they like to call it progress. I just call it a pain in the arse but it seems unfair to single out systemd alone for that treatment.

5
2
Silver badge

Re: If THIS isn't a reason to hate systemd...

"list all the software that has never had a bug."

What about seL4, which has a formal proof?

0
2
Silver badge
Devil

Re: "What's with all the exclaimation marks?"

https://allthetropes.org/wiki/Punctuated!_For!_Emphasis!

(El Reg does it all the time, too)

5
2
Silver badge
Devil

Re: If THIS isn't a reason to hate systemd...

"the article makes it clear that use of the systemd resolver isn't compulsory. Yet. At least not if you use Debian."

this is true. my Debian 8 'beater' box [which I'm using to test changes/updates to a customer web site before implementing them on the actual site] has systemd on it, unfortunately, but isn't using resolved for anything significant (or at all, for that matter).

/etc/resolv.conf is a regular file with the expected text-based contents in it

I think you may be able to DISABLE systemd-resolved by making /etc/resolv.conf a static file, rather than a symlink to the /run/systemd/whatever file. Can anyone confirm that?

3
1
Silver badge

Re: "What's with all the exclaimation marks?"

But only for Yahoo!, bb.

If you must use emphasis, please don't feel free. But not seemingly at random, or you come off all WWW-newbie "ransom note school of design".

7
0
Silver badge
Headmaster

Re: If THIS isn't a reason to hate systemd...

I'm less interested in hating it than simply getting rid of it, as a very pragmatic matter of necessity, not personal bias. It's a serious liability, as has just been clearly demonstrated, yet again, not merely because it has "a bug", but because this level of exposure should never be allowed anywhere near an init system, and certainly nowhere near something running at PID 1. That's sheer lunacy, a fundamental design flaw that cannot simply be "patched".

It's beyond time that the blinkered Poettering cabal faced the reality that Systemd is an overreaching abomination, created for highly dubious reasons, that is doomed by virtue of its own convoluted design to cause more problems, and of a far more serious nature, than it purports to solve.

Unlike the Poettering cabal, the Unix philosophy is not a fanboi club vying for popularity, it's the advocacy of solid engineering principles in the realm of software, principles that the aforementioned fanbois have completely abandoned. This incident should serve as a warning to them that they need to grow up and start thinking more like engineers, and less like children.

18
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017