systemd - Denial of Service Vulnerability

Public Date:
Updated -
Status
Resolved
Impact
Moderate

Red Hat Product Security has been made aware of a denial of service vulnerability affecting systemd, which has been assigned CVE-2016-7795 . During analysis a similar issue was found affecting earlier systemd versions, which was assigned CVE-2016-7796 . Both vulnerabilities have been rated as having Moderate security impact.

Background Information

On Red Hat Enterprise Linux 7 systemd fails to correctly process zero-length messages received over its notification socket. After receiving such message, systemd hangs in the pause system call, making it no longer possible to start and stop system services, or cleanly shutdown or reboot the system. Additionally, login commands (like ssh or su) will hang for 30 or more seconds, inetd-style services managed by systemd no longer accept connections, and zombie processes having systemd as their parent process are not being cleaned up.

This problem can be triggered by a local user without root privileges.

These issues have been rated as having Moderate security impact by Red Hat Product Security.

Impacted Products

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux 7.2 and 7.3 for CVE-2016-7795
  • Red Hat Enterprise Linux 7.0 and 7.1 for CVE-2016-7796

Root Cause

systemd accepts notification messages from all local users. A zero-length notification message causes systemd to hang. On Red Hat Enterprise Linux 7.2, a failed assertion in the manager_invoke_notify_message() function aborts its execution. On Red Hat Enterprise Linux 7.1 and earlier, an error returned by the manager_dispatch_notify_fd() function causes systemd to exit its main loop. In both cases, systemd freezes its execution in the pause() system call.

Diagnostic Steps

On Red Hat Enterprise Linux 7.2, running the following command makes systemd cease to respond to systemctl commands:

NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

Messages similar to these can be found in logs:

Sep 28 16:34:29 rhel7 systemd: Cannot find unit for notify message of PID 12345.
Sep 28 16:34:29 rhel7 systemd: Assertion 'n > 0' failed at src/core/manager.c:1619, function manager_invoke_notify_message(). Aborting.
Sep 28 16:34:29 rhel7 systemd: Caught <ABRT>, dumped core as pid 3988.
Sep 28 16:34:29 rhel7 systemd: Freezing execution.

On Red Hat Enterprise Linux 7.0 and 7.1, only the following message is logged:

Sep 30 11:48:56 rhel7 systemd: Failed to run mainloop: Input/output error

Updates for Affected Products

Product Package CVE Advisory/Update
Red Hat Enterprise Linux 7 systemd CVE-2016-7795 RHSA-2016:2610
Red Hat Enterprise Linux 7 systemd CVE-2016-7796 RHBA-2015:2092
Red Hat Enterprise Linux 7.2 EUS systemd CVE-2016-7795 RHSA-2016:2694
Red Hat Enterprise Linux 7.1 EUS systemd CVE-2016-7796 RHSA-2017-0003

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

1 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

This is still marked as ongoing with no mention of the updated package in 'Resolve'.

The following systemd package released on the 3rd of November addresses CVE-2016-7795:

systemd-219-30.el7_3.3-x86_64

From the changelog

 A flaw was found in the way systemd handled empty notification messages. A
local attacker could use this flaw to make systemd freeze its execution,
preventing further management of system services, system shutdown, or zombie
process collection via systemd. (CVE-2016-7795)

Related errata is here:

https://access.redhat.com/errata/RHSA-2016:2610

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.