The code, which could sit comfortably in a single tweet, was unearthed by security researcher Andrew Ayer. In a blog post titled, “How to Crash Systemd in One Tweet”, the following command, when run as any user, will crash systemd:
NOTIFY_SOCKET=/run/systemd/notify systemd-notify “”
“After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system),” said Ayer.
“All of this can be caused by a command that's short enough to fit in a Tweet,” Ayer continued.
According to the researcher, the bug has existed for over two years but is serious as it “allows any local user to trivially perform a denial-of-service attack against a critical system component”.
“The above systemd-notify command sends a zero-length message to the world-accessible UNIX domain socket located at /run/systemd/notify. PID 1 receives the message and fails an assertion that the message length is greater than zero,” he added.
He said that Systemd's problems run far deeper than this one bug and the whole of system is “defective by design”.
He added that although almost every Linux distribution now uses systemd for their init system, init was a soft target for systemd because the systems they replaced were so bad.
David Timothy Strauss, CTO and co-founder of Pantheon said the vulnerability is a “minor security issue” via a blog post disparaging of Ayer.
“Not only is the current security issue among the lowest risk classes by being local-only and denial-of-service (versus information disclosure or privilege escalation), but most of Ayer's claims are either wrong or misleading,” Strauss said.
In another blog post, Ayer hit back and said that Strauss “vastly overstates the value of these (systemd) features”.
“The best systemd can offer is whole application sandboxing. You can start a daemon as a non-root user, in a restricted filesystem namespace, with mandatory access control,” Ayer said.
Martin Ellis, senior security consultant at SureCloud, told SCMagazineUK.com that the bug could not lead to DDoS-style attacks on a vulnerable system, “as the attack vector needs access to a local Unix socket on the machine. If this was remotely exploitable then a widespread denial of service would likely be performed very quickly after the exploit was made public.”Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC that although this vulnerability does not appear to be remotely exploitable, it highlights the fact that denial of service vulnerabilities can be found in many products. “Sending the ‘right' commands, packets, or series of packets can cause a system to go into a tailspin, resulting in a crash. Often times these systems need to be physically rebooted, in order to recover from the crash,” he said.