Don’t Ever Run This Line Of Code If You Don’t Want To Crash Your Linux System
A developer named Andrew Ayer pointed out a bug in Systemd which could be used to cause a denial-of-service last week. He wrote about a single-line command which even a novice Linux user could use to crash Systems on his Linux distort in a post titled “How to crash Systemd in one tweet”.
“You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since Systemd is now integrated with the login system). All of this can be caused by a command that’s short enough to fit in a Tweet.”
Ubuntu quickly released a fix on the 29th of September, the same day the vulnerability was reported. According to Pantheon co-founder, David Timothy Strauss, in a Medium post, wrote that the “Systemd team has recently patched a local denial of service vulnerability affecting the notification socket”, calling Ayer’s blog post an “opportunity to throw a fresh tantrum about Systemd”.
Strauss considers Ayer’s claims as either wrong or misleading writing that “it’s a tantrum when you use a minor security issue as justification to rant about everything remotely related to Systemd and insist on radical changes (throwing out systemd) to address what are mostly fixable quibbles — at least the quibbles that were based on facts or good judgment in the first place”.
The author of the musl library, Rich Felker, told Threatpost that the findings Ayer made throw light on a much bigger picture but his finding is not particularly a serious vulnerability. Saying, “Systemd is not designed to be broken down into small parts that can safely fail and recover from both a security point of view and a robustness standpoint”.
He added that “you’ve got one big monolithic process where if one thing breaks the whole thing goes down. That’s the big design problem Ayer is shedding light on. It’s not a big security flaw, it’s a system development design flaw”.