Stack clashing systemd aka “System Down”
One and a half year ago the security research company Qualys reported a new attack class against common operating systems called “Stack Clash”.
We documented this in our TID 7020973.
The core security problem is that variable sized stack allocations could be used to overwrite heap memory as stack and heap grow towards each other without good separation.
Several mitigations were done for this security bug class. Foremost the Linux Kernel extended the gap between the process stack and heap from just 4KB to 1 Megabyte, making such attacks much harder. Successful attacks would now require an unprotected stack allocation larger than 1MB.
The kernel change was however just a band aid and the correct fix was to adjust userspace programs to protect these variable unsafe stack allocations. For this a compiler option was added named -fstack-clash-protection, and all userspace programs need to build using this option.
SUSE enabled this during development for SUSE Linux Enterprise 15 and openSUSE Leap 15.0, so all binaries on those distributions and newer ones are built with it and are safe from Stack Clash style attacks.
SUSE also enabled it retroactively for SUSE Linux Enterprise 12. While we did not rebuild and rerelease all packages, all of the updates that were released after March 2018 were built with this flag.
Qualys yesterday has published new security issues found in systemd-journald called “System Down”, where dynamic stack allocations could be used to cause a “Stack Clash” vulnerability, and so escalate privileges of local attackers to root.
As our systemd packages from SUSE Linux Enterprise Server 12 SP2 , SP3, SP4 and SUSE Linux Enterprise 15 have been built with -fstack-clash-protection these releases are not affected by this security issue.
Only systemd packages from SUSE Linux Enterprise Server 12 GA LTSS and 12 SP1 LTSS were not yet released built with this flag, so these were fixed and released yesterday.
Our references:
Related Articles
Oct 27th, 2022
Get fresh SLE Micro 5.3 docs – all you need to be productive
Run SAP
SUSE for Public Cloud
Security
No comments yet