Opens door to privilege escalation attacks
Some Linux distros will need to be updated following the discovery of an easily exploitable flaw in a core system management component.
The CVE-2016-10156 flaw in systemd v228 opens the door to privilege escalation attacks, creating a means for hackers to root systems locally if not across the internet.
The vulnerability is fixed in systemd v229.
“Newer” versions deployed by Fedora or Ubuntu have been secured but Debian systems are still running an older version and therefore need updating.
The security bug was initially thought to pose only a system-crashing risk but was upgraded this week following a re-evaluation of its severity.
The bug now weighs in at a CVSS score of 7.2, towards the top end of the 1-10 scale.
It’s a local root exploit, so requires access to the server in question, but it pretty much boils down to “create a file in a certain way, and gain root on the server” – so it’s trivial to exploit.
systemd is a suite for building blocks for Linux systems that provides system and service management technology.
Security specialists view it with suspicion and complaints about function creep are not uncommon. ®
Sponsored: Flash enters the mainstream.
Visit The Register’s storage hub