systemd Control Group Path Validation Vulnerability Leading to Execution Freeze

A vulnerability in systemd's handling of control group paths can cause the systemd process (PID 1) to freeze and assert when an unprivileged inter-process communication (IPC) API call is made with invalid data. This issue affects systemd versions 239 through 249, where it leads to stack overwriting with attacker-controlled content. In versions 250 and newer, the vulnerability is mitigated by a safety check that triggers an assert instead of allowing the stack to be overwritten. The problematic IPC call was introduced in version 239, so versions prior to that are not affected. The vulnerability can be exploited by sending a crafted control group path that bypasses normal validation, causing systemd to crash or behave unexpectedly.

Impact

Exploitation of this vulnerability causes systemd to freeze and stop executing, disrupting system services and management. In versions prior to 250, the vulnerability also overwrites the stack with attacker-controlled data, which could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending an IPC call to the systemd manager over the D-Bus system bus. The call should be made to the 'GetUnitByControlGroup' method, with a control group path that is not properly formatted or normalized, such as one that includes excessive characters. This can be done using a Python script that utilizes the 'pydbus' library to interact with the D-Bus system bus and send the crafted IPC call.

Remediation

Users can upgrade to systemd versions 260, 259.2, 258.5, or 257.11, all of which include patches to address this vulnerability.