Vulnerabilities > CVE-2017-9445 - Out-of-bounds Write vulnerability in Systemd Project Systemd
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-72F0C1EA9C.NASL description A fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-03 plugin id 101182 published 2017-07-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101182 title Fedora 24 : systemd (2017-72f0c1ea9c) NASL family Fedora Local Security Checks NASL id FEDORA_2017-956E27BDD6.NASL description A fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101684 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101684 title Fedora 26 : systemd (2017-956e27bdd6) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3341-1.NASL description An out-of-bounds write was discovered in systemd-resolved when handling specially crafted DNS responses. A remote attacker could potentially exploit this to cause a denial of service (daemon crash) or execute arbitrary code. (CVE-2017-9445). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101083 published 2017-06-28 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101083 title Ubuntu 16.10 / 17.04 : systemd vulnerability (USN-3341-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1216.NASL description According to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An out-of-bounds write flaw was found in the way systemd-resolved daemon handled processing of DNS responses. A remote attacker could potentially use this flaw to crash the daemon or execute arbitrary code in the context of the daemon process.i1/4^CVE-2017-9445i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-09 plugin id 123902 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123902 title EulerOS Virtualization 2.5.4 : systemd (EulerOS-SA-2019-1216) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1045.NASL description According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) - systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) - systemd: stack overflow when receiving many journald entries (CVE-2018-16865) - systemd: Assertion failure when PID 1 receives a zero-length message over notify socket(CVE-2016-7795) - systemd: Unsafe handling of hard links allowing privilege escalation(CVE-2017-18078) - systemd: Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new(CVE-2017-9445) - systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-15 plugin id 122218 published 2019-02-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122218 title EulerOS 2.0 SP5 : systemd (EulerOS-SA-2019-1045) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0023.NASL description An update of [systemd,wget,shadow,glibc] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111872 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111872 title Photon OS 1.0: Glibc / Shadow / Systemd / Wget PHSA-2017-0023 (deprecated) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1063.NASL description According to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that last seen 2020-06-01 modified 2020-06-02 plugin id 122459 published 2019-02-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122459 title EulerOS Virtualization 2.5.2 : systemd (EulerOS-SA-2019-1063) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1195.NASL description According to the version of the systemd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An out-of-bounds write flaw was found in the way systemd-resolved daemon handled processing of DNS responses. A remote attacker could potentially use this flaw to crash the daemon or execute arbitrary code in the context of the daemon process.i1/4^CVE-2017-9445i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-09 plugin id 123881 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123881 title EulerOS Virtualization 2.5.3 : systemd (EulerOS-SA-2019-1195) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0023_SYSTEMD.NASL description An update of the systemd package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121709 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121709 title Photon OS 1.0: Systemd PHSA-2017-0023 NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1898-1.NASL description This update for systemd and dracut fixes the following issues: Security issues fixed : - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd : - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut : - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101831 published 2017-07-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101831 title SUSE SLED12 / SLES12 Security Update : systemd, dracut (SUSE-SU-2017:1898-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-29D909F5EC.NASL description A fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-06-30 plugin id 101122 published 2017-06-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101122 title Fedora 25 : systemd (2017-29d909f5ec) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2031-1.NASL description This update for systemd provides several fixes and enhancements. Security issues fixed : - CVE-2017-9217: NULL pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs : - core/mount: Use the last seen 2020-06-01 modified 2020-06-02 plugin id 102188 published 2017-08-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102188 title SUSE SLED12 / SLES12 Security Update : systemd (SUSE-SU-2017:2031-1)
Seebug
bulletinFamily | exploit |
description | ## Vulnerability description Canonical's Ubuntu developer Chris Coulson found a critical vulnerability, you can use it to remotely attack run popular of the operating system of the machine. The vulnerability number CVE-2017-9445 located in the `Systemd init system ` and `service manager` . A remote attacker can trigger a buffer overflow vulnerability via a malicious DNS response to execution of malicious code. Experts have found that 'systemd-resolved' of 'dns_packet_new' function of the vulnerability, it is processing a DNS response, and as a local application to provide network name resolution. Whenever the system attempts the attacker controls the DNS service to find the host name when a specially crafted malicious DNS responses could lead to remote “systemd-resolved” the program to crash. An attacker can send a large DNS response to trigger the vulnerability, causing a buffer overflow, remote code execution. “Passed to the dns_packet_new certain size may cause it to the allocated buffer is too small. Page alignment of the digital - sizeof(DnsPacket)+ sizeof(iphdr)+ sizeof(udphdr will do so - so on x86 it will be a page-aligned digital - 80. For example, in the x86 calling the size of 4016 dns_packet_new will lead to 4096 bytes of allocation, but the 108 bytes for DnsPacket structure.“ Coulson explained. Malicious DNS servers can use a specially crafted TCP payload to solve this problem, so that the system resolve allocated a too small buffer, then writes any data. ## Vulnerability This defect affects the Systemd version of 223, the version is earlier than 2015, 6 months, and thereafter further comprising 2017 3 month released Systemd version 233 to. The vulnerabilities affect the Ubuntu 17.04 Edition and the 16.10 version ; the Debian version of the Stretch, also known as the Debian 9, The Buster, also known as the 10 and Sid aka Unstable); and the use of Systemd for the various other Linux distributions. Linux user and system administrator must as soon as possible to update their operating system. |
id | SSV:96260 |
last seen | 2017-11-19 |
modified | 2017-07-01 |
published | 2017-07-01 |
reporter | Root |
title | systemd CVE-2017-9445 Out-Of-Bounds Write Remote Code Execution Vulnerability |
The Hacker News
id | THN:A27780A2D308A6AEF4DF80F175BAF3DE |
last seen | 2018-01-27 |
modified | 2017-06-29 |
published | 2017-06-28 |
reporter | Swati Khandelwal |
source | https://thehackernews.com/2017/06/linux-buffer-overflow-code.html |
title | Your Linux Machine Can Be Hacked Remotely With Just A Malicious DNS Response |
Related news
References
- http://openwall.com/lists/oss-security/2017/06/27/8
- http://openwall.com/lists/oss-security/2017/06/27/8
- http://www.securityfocus.com/bid/99302
- http://www.securityfocus.com/bid/99302
- http://www.securitytracker.com/id/1038806
- http://www.securitytracker.com/id/1038806
- https://launchpad.net/bugs/1695546
- https://launchpad.net/bugs/1695546