CVE-2023-26604

EUVD-2023-30399

03.03.2023, 16:15

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 89%

Affected Products (NVD)

Vendor	Product	Version
debian	debian_linux	10.0
systemd_project	systemd	𝑥 < 246.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

systemd

bookworm	252.31-1~deb12u1 fixed
bullseye	247.3-7+deb11u5 fixed
bullseye (security)	247.3-7+deb11u6 fixed
sid	257.1-5 fixed
trixie	257.1-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

systemd

bionic	needed
focal	needed
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
oracular	not-affected
trusty	ignored
xenial	needs-triage

Known Exploits!

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html

https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/

https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340

https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html