Vulnerabilities > CVE-2017-9445 - Out-of-bounds Write vulnerability in Systemd Project Systemd

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
systemd-project
CWE-787
nessus

Summary

In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-72F0C1EA9C.NASL
    descriptionA fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-03
    plugin id101182
    published2017-07-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101182
    titleFedora 24 : systemd (2017-72f0c1ea9c)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-956E27BDD6.NASL
    descriptionA fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101684
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101684
    titleFedora 26 : systemd (2017-956e27bdd6)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3341-1.NASL
    descriptionAn out-of-bounds write was discovered in systemd-resolved when handling specially crafted DNS responses. A remote attacker could potentially exploit this to cause a denial of service (daemon crash) or execute arbitrary code. (CVE-2017-9445). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101083
    published2017-06-28
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101083
    titleUbuntu 16.10 / 17.04 : systemd vulnerability (USN-3341-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1216.NASL
    descriptionAccording to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An out-of-bounds write flaw was found in the way systemd-resolved daemon handled processing of DNS responses. A remote attacker could potentially use this flaw to crash the daemon or execute arbitrary code in the context of the daemon process.i1/4^CVE-2017-9445i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-19
    modified2019-04-09
    plugin id123902
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123902
    titleEulerOS Virtualization 2.5.4 : systemd (EulerOS-SA-2019-1216)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1045.NASL
    descriptionAccording to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) - systemd: Assertion failure when PID 1 receives a zero-length message over notify socket(CVE-2016-7795) - systemd: Unsafe handling of hard links allowing privilege escalation(CVE-2017-18078) - systemd: Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new(CVE-2017-9445) - systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-15
    plugin id122218
    published2019-02-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122218
    titleEulerOS 2.0 SP5 : systemd (EulerOS-SA-2019-1045)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0023.NASL
    descriptionAn update of [systemd,wget,shadow,glibc] packages for PhotonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111872
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111872
    titlePhoton OS 1.0: Glibc / Shadow / Systemd / Wget PHSA-2017-0023 (deprecated)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1063.NASL
    descriptionAccording to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that
    last seen2020-06-01
    modified2020-06-02
    plugin id122459
    published2019-02-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122459
    titleEulerOS Virtualization 2.5.2 : systemd (EulerOS-SA-2019-1063)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1195.NASL
    descriptionAccording to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An out-of-bounds write flaw was found in the way systemd-resolved daemon handled processing of DNS responses. A remote attacker could potentially use this flaw to crash the daemon or execute arbitrary code in the context of the daemon process.i1/4^CVE-2017-9445i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-19
    modified2019-04-09
    plugin id123881
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123881
    titleEulerOS Virtualization 2.5.3 : systemd (EulerOS-SA-2019-1195)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0023_SYSTEMD.NASL
    descriptionAn update of the systemd package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121709
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121709
    titlePhoton OS 1.0: Systemd PHSA-2017-0023
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1898-1.NASL
    descriptionThis update for systemd and dracut fixes the following issues: Security issues fixed : - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd : - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut : - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101831
    published2017-07-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101831
    titleSUSE SLED12 / SLES12 Security Update : systemd, dracut (SUSE-SU-2017:1898-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-29D909F5EC.NASL
    descriptionA fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-30
    plugin id101122
    published2017-06-30
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101122
    titleFedora 25 : systemd (2017-29d909f5ec)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2031-1.NASL
    descriptionThis update for systemd provides several fixes and enhancements. Security issues fixed : - CVE-2017-9217: NULL pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs : - core/mount: Use the
    last seen2020-06-01
    modified2020-06-02
    plugin id102188
    published2017-08-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102188
    titleSUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2017:2031-1)

Seebug

bulletinFamilyexploit
description## Vulnerability description Canonical's Ubuntu developer Chris Coulson found a critical vulnerability, you can use it to remotely attack run popular of the operating system of the machine. The vulnerability number CVE-2017-9445 located in the `Systemd init system ` and `service manager` . A remote attacker can trigger a buffer overflow vulnerability via a malicious DNS response to execution of malicious code. Experts have found that 'systemd-resolved' of 'dns_packet_new' function of the vulnerability, it is processing a DNS response, and as a local application to provide network name resolution. Whenever the system attempts the attacker controls the DNS service to find the host name when a specially crafted malicious DNS responses could lead to remote “systemd-resolved” the program to crash. An attacker can send a large DNS response to trigger the vulnerability, causing a buffer overflow, remote code execution. “Passed to the dns_packet_new certain size may cause it to the allocated buffer is too small. Page alignment of the digital - sizeof(DnsPacket)+ sizeof(iphdr)+ sizeof(udphdr will do so - so on x86 it will be a page-aligned digital - 80. For example, in the x86 calling the size of 4016 dns_packet_new will lead to 4096 bytes of allocation, but the 108 bytes for DnsPacket structure.“ Coulson explained. Malicious DNS servers can use a specially crafted TCP payload to solve this problem, so that the system resolve allocated a too small buffer, then writes any data. ## Vulnerability This defect affects the Systemd version of 223, the version is earlier than 2015, 6 months, and thereafter further comprising 2017 3 month released Systemd version 233 to. The vulnerabilities affect the Ubuntu 17.04 Edition and the 16.10 version ; the Debian version of the Stretch, also known as the Debian 9, The Buster, also known as the 10 and Sid aka Unstable); and the use of Systemd for the various other Linux distributions. Linux user and system administrator must as soon as possible to update their operating system.
idSSV:96260
last seen2017-11-19
modified2017-07-01
published2017-07-01
reporterRoot
titlesystemd CVE-2017-9445 Out-Of-Bounds Write Remote Code Execution Vulnerability

The Hacker News

idTHN:A27780A2D308A6AEF4DF80F175BAF3DE
last seen2018-01-27
modified2017-06-29
published2017-06-28
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2017/06/linux-buffer-overflow-code.html
titleYour Linux Machine Can Be Hacked Remotely With Just A Malicious DNS Response