CVE-2023-26604

03.03.2023, 16:15

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Vendor	Product	Version
systemd_project	systemd	𝑥 < 247

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

systemd

bullseye	247.3-7+deb11u5 fixed
bullseye (security)	247.3-7+deb11u6 fixed
bookworm	252.31-1~deb12u1 fixed
trixie	257.1-4 fixed
sid	257.1-5 fixed

Ubuntu Releases

Ubuntu Product

Codename

systemd

oracular	not-affected
noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
focal	needed
bionic	needed
xenial	needs-triage
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html

https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/

https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340

https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html