systemd - Denial of Service Vulnerability
Was this information helpful?
CVE-2016-7795 . During analysis a similar issue was found affecting earlier systemd versions, which was assigned CVE-2016-7796 . Both vulnerabilities have been rated as having Moderate security impact.
Background Information
On Red Hat Enterprise Linux 7 systemd fails to correctly process zero-length messages received over its notification socket. After receiving such message, systemd hangs in the pause system call, making it no longer possible to start and stop system services, or cleanly shutdown or reboot the system. Additionally, login commands (like ssh or su) will hang for 30 or more seconds, inetd-style services managed by systemd no longer accept connections, and zombie processes having systemd as their parent process are not being cleaned up.
This problem can be triggered by a local user without root privileges.
These issues have been rated as having Moderate security impact by Red Hat Product Security.
Impacted Products
The following Red Hat Product versions are impacted:
- Red Hat Enterprise Linux 7.2 and 7.3 for CVE-2016-7795
- Red Hat Enterprise Linux 7.0 and 7.1 for CVE-2016-7796
Root Cause
systemd accepts notification messages from all local users. A zero-length notification message causes systemd to hang. On Red Hat Enterprise Linux 7.2, a failed assertion in the manager_invoke_notify_message() function aborts its execution. On Red Hat Enterprise Linux 7.1 and earlier, an error returned by the manager_dispatch_notify_fd() function causes systemd to exit its main loop. In both cases, systemd freezes its execution in the pause() system call.
Diagnostic Steps
On Red Hat Enterprise Linux 7.2, running the following command makes
systemd
cease to respond to systemctl commands:
NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""
Messages similar to these can be found in logs:
Sep 28 16:34:29 rhel7 systemd: Cannot find unit for notify message of PID 12345.
Sep 28 16:34:29 rhel7 systemd: Assertion 'n > 0' failed at src/core/manager.c:1619, function manager_invoke_notify_message(). Aborting.
Sep 28 16:34:29 rhel7 systemd: Caught <ABRT>, dumped core as pid 3988.
Sep 28 16:34:29 rhel7 systemd: Freezing execution.
On Red Hat Enterprise Linux 7.0 and 7.1, only the following message is logged:
Sep 30 11:48:56 rhel7 systemd: Failed to run mainloop: Input/output error
Updates for Affected Products
Product | Package | CVE | Advisory/Update |
---|---|---|---|
Red Hat Enterprise Linux 7 | systemd | CVE-2016-7795 | RHSA-2016:2610 |
Red Hat Enterprise Linux 7 | systemd | CVE-2016-7796 | RHBA-2015:2092 |
Red Hat Enterprise Linux 7.2 EUS | systemd | CVE-2016-7795 | RHSA-2016:2694 |
Red Hat Enterprise Linux 7.1 EUS | systemd | CVE-2016-7796 | RHSA-2017-0003 |
Comments