CVE-2023-26604

03.03.2023, 16:15

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Affected Products (NVD)

Vendor	Product	Version
debian	debian_linux	10.0
systemd_project	systemd	𝑥 < 246.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

systemd

bookworm	252.31-1~deb12u1 fixed
bullseye	247.3-7+deb11u5 fixed
bullseye (security)	247.3-7+deb11u6 fixed
sid	257.1-5 fixed
trixie	257.1-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

systemd

bionic	needed
focal	needed
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
oracular	not-affected
trusty	ignored
xenial	needs-triage

openSUSE / SLES Releases

openSUSE Product

Release

libsystemd0

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

libsystemd0-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

libsystemd0-32bit

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

libsystemd0-32bit-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

libudev-devel

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

libudev-devel-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

libudev1

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

libudev1-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

libudev1-32bit

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

libudev1-32bit-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

systemd

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

systemd-32bit

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-32bit-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

systemd-bash-completion-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

systemd-container

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-coredump

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-devel

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-devel-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

systemd-doc

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-journal-remote

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-lang

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-sysvinit

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

systemd-sysvinit-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

udev

suse enterprise server 15 SP3

246.16-150300.7.60.1

fixed

udev-228

suse enterprise sap 12 SP5	157.52.1 fixed
suse enterprise server 12 SP2	150.108.2 fixed
suse enterprise server 12 SP3	150.108.2 fixed
suse enterprise server 12 SP4	150.108.2 fixed
suse enterprise server 12 SP5	157.52.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

systemd

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-container

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-devel

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-journal-remote

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-libs

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-pam

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-tests

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

systemd-udev

RHEL 8	0:239-74.el8_8.2 fixed
RHEL 8.6 AUS	0:239-58.el8_6.13 fixed
RHEL 8.6 E4S	0:239-58.el8_6.13 fixed
RHEL 8.6 EUS	0:239-58.el8_6.13 fixed
RHEL 8.6 TUS	0:239-58.el8_6.13 fixed
RHEL 8.8 AUS	0:239-74.el8_8.2 fixed
RHEL 8.8 E4S	0:239-74.el8_8.2 fixed
RHEL 8.8 EUS	0:239-74.el8_8.2 fixed
RHEL 8.8 TUS	0:239-74.el8_8.2 fixed

Known Exploits!

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html

https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/

https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340

https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html

https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7

https://security.netapp.com/advisory/ntap-20230505-0009/

http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html

https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/

https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340

https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html

https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7

https://security.netapp.com/advisory/ntap-20230505-0009/