Short Bytes: A single-line command allows any user to crash Systemd on his Linux machine. Andrew Ayer, who discovered the bug, explains in a blog post the incapacities of Systemd. He has also indulged himself in an argumental clash with another developer.
“You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since Systemd is now integrated with the login system). All of this can be caused by a command that’s short enough to fit in a Tweet.”
Ubuntu was a quick to release a fix on Sept 29, the very day after the vulnerability was reported. Pantheon co-founder David Timothy Strauss wrote in a Medium post that the “Systemd team has recently patched a local denial of service vulnerability affecting the notification socket.” He called Ayer’s blog post as an “opportunity to throw a fresh tantrum about Systemd”.
“It’s a tantrum when you use a minor security issue as justification to rant about everything remotely related to Systemd and insist on radical changes (throwing out systemd) to address what are mostly fixable quibbles — at least the quibbles that were based on facts or good judgment in the first place,” Strauss wrote who considers Ayer’s claims as either wrong or misleading.
Ayer was quick to write a response about Strauss’ analysis of his findings and blog post. And Strauss also replied in yesterday’s post, Ayer vs. systemd, Part 4. The two have been pushing their set on arguments in the Systemd debate.
Rich Felker, the author of the musl library, told Threatpost that Ayer’s findings throw light on a much bigger picture and his finding itself is not a serious vulnerability.
“Systemd is not designed to be broken down into small parts that can safely fail and recover from both a security point of view and a robustness standpoint,” Felker said.
“You’ve got one big monolithic process where if one thing breaks the whole thing goes down. That’s the big design problem Ayer is shedding light on. It’s not a big security flaw, it’s a system development design flaw.”
If you have something to add, tell us in the comments below.