FERRAMENTAS LINUX: Systemd Privilege Escalation: What Never Changes (and How to Lock It Down for Good)

quarta-feira, 15 de abril de 2026

Systemd Privilege Escalation: What Never Changes (and How to Lock It Down for Good)

 

Debian


Fix critical systemd privilege escalation flaws on Debian/Ubuntu/Rocky/SUSE. Permanent commands, automation script, and mitigation steps. Protect servers now.

April 15, 2026 – a new set of systemd vulnerabilities (CVE-2026-4105, CVE-2026-29111, CVE-2026-40225, CVE-2026-40226) dropped. But the real lesson isn’t the date. It’s that systemd – the brain of most Linux distros – keeps having the same class of bugs: improper access control in D-Bus, stack overwrites, and unsanitized input from hardware or config files.

Instead of chasing every CVE, learn the permanent checklist to detect, patch, or block these flaws – whether you run Ubuntu 22.04, Rocky Linux 9, or SUSE 15.

How to Check If You Are Vulnerable (Commands for Major Distros)

These tests focus on the CVE-2026-4105 pattern (unvalidated D-Bus class parameter), because it’s the most reusable indicator.

Ubuntu 22.04 / 24.04

bash
# Check systemd version
systemd --version | head -1
# Vulnerable if < 249.11-0ubuntu3.12 (22.04) or < 255.4-1ubuntu8.4 (24.04)

# Test D-Bus access (unprivileged)
busctl call org.freedesktop.machine1 /org/freedesktop/machine1 org.freedesktop.machine1.Manager RegisterMachine sssay "test" "" "container" 0
# If this returns without "Access Denied" – you are vulnerable.

Rocky Linux 9 (RHEL clone)

bash
rpm -q systemd
# Vulnerable if version < 252-32.el9_4.3

# Same D-Bus test (works on any distro with systemd)
busctl call org.freedesktop.machine1 /org/freedesktop/machine1 org.freedesktop.machine1.Manager RegisterMachine sssay "test" "" "container" 0

SUSE Linux Enterprise Server 15

bash
zypper info systemd | grep Version
# Vulnerable if < 249.16-150400.3.20.1

# Check D-Bus policy
grep -r "RegisterMachine" /usr/share/dbus-1/system.d/  
# Look for missing "deny" rules on unprivileged users.

Automation Script to Apply the Fix (Works on Ubuntu, Rocky, SUSE)

Save as fix-systemd-cve.sh and run as root.

bash
#!/bin/bash
# systemd privilege escalation fix - CVE-2026-4105, CVE-2026-29111, etc.
# Compatible: Debian/Ubuntu, RHEL/Rocky, SUSE

set -e

# Detect distro
if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
    VER=$VERSION_ID
fi

echo "[+] Fixing systemd on $OS $VER"

case $OS in
    ubuntu|debian)
        apt update
        apt install -y systemd
        ;;
    rocky|rhel|centos)
        dnf update -y systemd
        ;;
    suse|opensuse-leap)
        zypper refresh
        zypper update -y systemd
        ;;
    *)
        echo "Unsupported distro. Manual update required."
        exit 1
        ;;
esac

# Ensure D-Bus reloads new security policies
systemctl daemon-reexec
systemctl restart dbus

echo "[+] systemd updated. Reboot recommended."
echo "    To verify: busctl call org.freedesktop.machine1 /org/freedesktop/machine1 org.freedesktop.machine1.Manager RegisterMachine sssay 'test' '' 'container' 0"
echo "    Expected result: 'Access denied'"

Usage:

bash
chmod +x fix-systemd-cve.sh
sudo ./fix-systemd-cve.sh

Alternative Mitigation (If You Can’t Update Now)

Block the D-Bus method for unprivileged users using AppArmor or iptables + dbus-broker.

AppArmor profile (Ubuntu/Debian)

Create /etc/apparmor.d/local/usr.lib.systemd.systemd-machined:

text
deny /{,var/}run/dbus/system_bus_socket rw,

Then reload:

bash
apparmor_parser -r /etc/apparmor.d/usr.lib.systemd.systemd-machined
systemctl restart systemd-machined

iptables + dbus ACL (all distros)

Block unprivileged users from talking to systemd-machined D-Bus interface:

bash
# Create a dedicated dbus policy override
cat > /etc/dbus-1/system.d/99-block-machined.conf <<EOF
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <policy user="nobody">
    <deny send_destination="org.freedesktop.machine1"
          send_interface="org.freedesktop.machine1.Manager"/>
  </policy>
</busconfig>
EOF
systemctl restart dbus

Limitation: These workarounds only stop CVE-2026-4105. For CVE-2026-40225 (malicious USB devices), disable udev rules for untrusted hardware:

echo 'ACTION=="add", SUBSYSTEM=="usb", ATTR{authorized}=="0"' > /etc/udev/rules.d/99-block-untrusted-usb.rules


Sugegsted reading:

Book  Using & Admin Linux Vol 2


Why this important Book.

Using and Administering Linux: Volume 2" (David Both) – because it has an actual chapter on D-Bus and udev (Chapter 38), which is the exact attack surface of CVE-2026-4105 and CVE-2026-40225 . Most sysadmins don't know how D-Bus works until something breaks. This book fixes that


Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)



Cezar Henrique da Costa e Souza at
Marcadores: Linux, Android, Segurança

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)