Categories: SecurityWorkspace

Linux ‘Vulnerable To Tweet-Sized Attack’

Most Linux systems can be shut down by a single user command short enough to fit into a Twitter post.

After a user issues the command, a number of critical functions no longer work, while others are rendered unstable, according to Andrew Ayer, a Linux administrator and founder of security certificate vendor SSLMate.

‘Serious’ bug

“All of this can be caused by a command that’s short enough to fit in a Tweet,” he wrote in an advisory. “The bug is serious, as it allows any local user to trivially perform a denial-of-service attack against a critical system component.”

Ayer said he disclosed the bug in order to highlight problems with a widely used Linux component called systemd, which he considers “defective by design”.

But some called the move irresponsible, since Ayer published the issue online without first informing systemd’s developers.

The command is as follows, Ayer said: NOTIFY_SOCKET=/run/systemd/notify systemd-notify “”.

A patch for the issue was released on the GitHub code repository, with some researchers finding it would only work on some systems when wrapped in a in a while true loop.

“It is unfortunate that this was not handled using a ‘responsible disclosure’ process,” wrote a GitHub contributor using the pseudonym Mornau.

Too much complexity?

Ayer said the bug is typical of systemd, which he criticised as overly complex, and he argued the issue indicates Linux developers have “fallen behind other operating systems in writing secure and robust software”.

Systemd has been adopted by most Linux distributions as their default initialisation system, a trend controversial with some critics.

Ayer and other critics also argue distributions have been effectively forced to adopt systemd due to the dependency of other popular software upon it.

“Systemd is dangerous not only because it is introducing hundreds of thousands of lines of complex C code without any regard to longstanding security practices like privilege separation or fail-safe design, but because it is setting itself up to be irreplaceable,” Ayer wrote.

‘Quibbles’

He urged Linux administrators not to replace existing services with systemd and application developers not to use systemd’s non-standard interfaces, and instead to hold out for more secure alternatives.

Systemd maintainer David Timothy Strauss responded that the bug is “minor” and said Ayer’s criticisms were “mostly fixable quibbles”, although he acknowledged some were “legitimate criticisms”.

Ayer would be better to help systemd implement a better architecture than to call for its replacement, said Strauss, who is chief technology officer and co-founder of web hosting platform Pantheon, in a blog post.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago