systemd Denial-of-Service Vulnerability via IPC API Null Elements

A denial-of-service vulnerability has been identified in systemd versions 260 prior to 261. This issue allows a local unprivileged user to cause the systemd process (PID 1) to freeze execution by sending an inter-process communication (IPC) API call that includes an array or map with null elements. The vulnerability arises from a change introduced in systemd version 260, which improperly handles such data, leading to an assertion failure that halts processing.

Impact

Exploitation of this vulnerability causes systemd to hit an assertion and freeze execution, disrupting normal system operations.

Reproduction

The vulnerability can be reproduced by sending a varlink request to the systemd manager socket at `/run/systemd/io.systemd.Manager`. The request must include a method call to `io.systemd.UserDatabase.GetUserRecord` with the `fuzzyNames` parameter containing a null element and an empty array. This can be done using `socat` to connect to the Unix socket and transmit the crafted JSON payload.

Remediation

Users can upgrade to systemd versions 260.1 or 261 to address this vulnerability. Alternatively, the access control of the varlink socket `/run/systemd/io.systemd.Manager` can be changed to restrict access to root only.