A specially configured DNS Response seems to be enough to trigger a critical buffer overflow vulnerability in Linux.
Vulnerability with ID CVE-2017-9445 could allow malicious code to be executed by remote intruders on the affected systems. The fault lies with SystemD, the service startup and management system that is pre-installed on several popular Linux distributions.
Canonical developer Chris Coulson, who discovered the security gap, says:
"A remote attacker can trigger a buffer overflow vulnerability to execute malicious code with just one malicious DNS response."
The expert identified the vulnerability in the 'dns_packet_new' function of 'systemd-resolved', which handles DNS responses & provides network name analysis in local applications.
A specially formulated DNS response can cause the 'systemd-resolved' to crash. This can be done whenever the system searches for a hostname lookup on an intruder-controlled DNS service. The attacker can trigger the flaw by sending an malicious DNS Response. This will cause buffer overflow, leading to remote code execution.
How is this done? According to Coulson, the affected versions of systemd allow an attacker to assign a small size buffer to process DNS packets by assigning specific sizes to dns_packet_new.
"A malicious DNS server can take advantage of this by responding with a specially designed TCP payload to trick the systemd-resolved into assigning a buffer, which is too small, and then write arbitrary data at the end." says the expert.
This "out-of-bound" write vulnerability allows an attacker to crash a systemd system or write data to memory, allowing code to be executed on the target machine. All you need is a malicious DNS package.
The defect affects Systemd version 223 and later versions, including version 233 released in March.
What distributions are affected?
Vulnerability affects them Ubuntu 17.04 and 16.10. Distributions Debian Stretch (ή Debian 9), Buster (Debian 10) and Sid (Debian Unstable), as well as other Linux distributions that use Systemd, are also vulnerable.
Linux users and system administrators should update their facilities as soon as possible.