New Systemd privilege escalation flaws affect most Linux distributions

Qualys security experts report three new vulnerabilities in the Linux Systemd subsystem. These breaches allow an attacker or malware to gain root privileges on the target system. Systemd is an initialization subsystem and manages daemons during Linux operation.

The following identifiers were assigned to the vulnerabilities: CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866. The source of problems is the systemd-journald service, which collects information from various sources and creates event records in the journal.

The vulnerabilities reported by Qualys experts affect all systemd-based Linux distributions (including Redhat and Debian). At the same time, SUSE Linux Enterprise 15, openSUSE Leap 15.0 and Fedora 28 and 29 are not affected by these breaches.

The first two vulnerabilities represent the possibility of memory corruption, and the third is the problem of reading out-of-bounds in systemd-journald. Together they can lead to leakage of confidential information from memory.

The researchers claim that they were able to create the corresponding proof-of-concept exploits that they plan to publish in the near future.

“We created an exploit for CVE-2018-16865 and CVE-2018-16866. Thanks to it, you can get root access in 10 minutes on an i386 processor, and in 70 minutes on an amd64 processor, ”write the experts.

The last flaw - CVE-2018-16864 - is similar to the famous Stack Clash, which the Qualys researchers discovered in 2017. It allows an attacker with minor privileges, as well as a malicious program, to enhance its rights in the system.

According to experts, CVE-2018-16864 has been present in systemd since April 2013 (systemd v203). And the possibility of operation appeared in February 2016 (systemd v230).