Linux systemd bug allows denial of service attacks

Security researchers have discovered bugs when parsing long file system paths in Linux-based operating systems that can be used to crash them and for local privilege escalation to the root superuser.

The first affects the systemd software which acts as a system and service manager, running as the first OS process (PID 1).

Security vendor Qualys said a vulnerability was introduced into systemd version 220 in April 2015, which allows an unprivileged user to panic the Linux kernel, and cause a denial of service attack.

Long mount point paths can crash systemd with a segmentation fault which, in turn, takes down the entire operating system.

“As a result, if the total path length of this mountpoint exceeds 8MB (the default RLIMIT_STACK), then systemd crashes with a segmentation fault that also crashes the entire operating system (a kernel panic, because systemd is the ‘global init’, PID 1),” Qualys said in its technical analysis of the bug.

There are no mitigations for the CVE-2021-33910 systemd bug, and Qualys recommends that administrators apply patches from the Linux distributions immediately.

A related bug, CVE-2021-33909 or “Sequoia”, allows local, non-privileged users to elevate their accounts to the root superuser one, by abusing long folder paths.

The attack requires users to create, mount and delete a deep directory structure with a total path length exceeding 1 gigabyte.

There are mitigations against the Sequoia bug which was introduced into the Linux kernel in 2014, but they do not completely address the vulnerability and Qualys advises users to apply patches as soon as possible.