systemd - Denial of Service Vulnerability

Public Date: October 2, 2016, 20:00
Updated January 3, 2017, 14:46 - Japanese

Was this information helpful?

Resolved Status
Moderate Impact
Jump to section

Red Hat Product Security has been made aware of a denial of service vulnerability affecting systemd, which has been assigned CVE-2016-7795 . During analysis a similar issue was found affecting earlier systemd versions, which was assigned CVE-2016-7796 . Both vulnerabilities have been rated as having Moderate security impact.

On Red Hat Enterprise Linux 7 systemd fails to correctly process zero-length messages received over its notification socket. After receiving such message, systemd hangs in the pause system call, making it no longer possible to start and stop system services, or cleanly shutdown or reboot the system. Additionally, login commands (like ssh or su) will hang for 30 or more seconds, inetd-style services managed by systemd no longer accept connections, and zombie processes having systemd as their parent process are not being cleaned up.

This problem can be triggered by a local user without root privileges.

Jump to section

These issues have been rated as having Moderate security impact by Red Hat Product Security.

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux 7.2 and 7.3 for CVE-2016-7795
  • Red Hat Enterprise Linux 7.0 and 7.1 for CVE-2016-7796

systemd accepts notification messages from all local users. A zero-length notification message causes systemd to hang. On Red Hat Enterprise Linux 7.2, a failed assertion in the manager_invoke_notify_message() function aborts its execution. On Red Hat Enterprise Linux 7.1 and earlier, an error returned by the manager_dispatch_notify_fd() function causes systemd to exit its main loop. In both cases, systemd freezes its execution in the pause() system call.

On Red Hat Enterprise Linux 7.2, running the following command makes systemd cease to respond to systemctl commands:

NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

Messages similar to these can be found in logs:

Sep 28 16:34:29 rhel7 systemd: Cannot find unit for notify message of PID 12345.
Sep 28 16:34:29 rhel7 systemd: Assertion 'n > 0' failed at src/core/manager.c:1619, function manager_invoke_notify_message(). Aborting.
Sep 28 16:34:29 rhel7 systemd: Caught <ABRT>, dumped core as pid 3988.
Sep 28 16:34:29 rhel7 systemd: Freezing execution.

On Red Hat Enterprise Linux 7.0 and 7.1, only the following message is logged:

Sep 30 11:48:56 rhel7 systemd: Failed to run mainloop: Input/output error

Jump to section

Product Package CVE Advisory/Update
Red Hat Enterprise Linux 7 systemd CVE-2016-7795 RHSA-2016:2610
Red Hat Enterprise Linux 7 systemd CVE-2016-7796 RHBA-2015:2092
Red Hat Enterprise Linux 7.2 EUS systemd CVE-2016-7795 RHSA-2016:2694
Red Hat Enterprise Linux 7.1 EUS systemd CVE-2016-7796 RHSA-2017-0003

Comments