When buckets overflow...
When buckets overflow...

A security researcher has discovered a vulnerability, used in many Linux distributions to start and manage processes, which could enable hackers to crash a system or execute code on it via malicious DNS packets.

Chris Coulson, a software engineer at Canonical, found the issue, labelled as CVE-2017-9445, which affects all Linux distros that ship with systemd versions between 223 and 233.

According to a security advisory, Coulson said that hackers could allocate a small buffer size for the processing of DNS packets using the bug.

"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it,” he said.

He added that certain sizes passed to dns_packet_new can cause system to allocate a buffer that's too small.

“A page-aligned number – sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this – so, on x86 this will be a page-aligned number – 80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.”

The problem was introduced into the system code in June 2015 and no fix currently exists. However, a patch has been submitted for consideration. Updates to Ubuntu 16.10 (Yakkety Yak) and 17.04 (Zesty Zapus) to protect users have been released by Ubuntu.

Adam Brown, manager of security solutions at Synopsys, told SC Media UK that a huge amount of CVEs relate to memory out of bounds bugs and are far too common.

“Bugs like this can be picked up with static analysis, which really should be an integral part of any software development today. For users this defect could be used to overwrite memory on a server, potentially causing undefined behaviour such as a crash and therefore denial of service. A patch has been made available and should be applied,” he said.

Tim Helming, director of product management at DomainTools, told SC that while any buffer overflow that allows remote code execution is serious, there are a couple of mitigating factors which should keep the damage level relatively low for this vulnerability/exploit.

“Besides the obvious (a patch is available for anyone running the affected versions of systemd), the exploit depends on a malicious (or compromised) DNS server,” he said.

“So the attacker would have to go to some trouble to exploit this vulnerability, by pointing potential victims to a malicious server. The easiest way to do this would be to set up the server as the authoritative name server for domain(s) controlled by the attacker. Otherwise, the attacker has to find another way to insert their server into the data flow, or to compromise other people's DNS servers to enable the malicious response payloads. So, patching is important, but it would take some doing to make this exploit a widespread phenomenon,” he added.