Bug 2175611 (CVE-2023-26604)
| Summary: | CVE-2023-26604 systemd: privilege escalation via the less pager | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | derrick.roach.ctr, fdemeloj, kyoshida, lnykryn, mmillson, msekleta, systemd-maint-list, systemd-maint, yaoli, zjedrzej |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | systemd 247 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in the systemd package. The systemd package does not adequately block local privilege escalation for some Sudo configurations, for example, plausible sudoers files, in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This issue presents a substantial security risk when running systemctl from Sudo because less executes as root when the terminal size is too small to show the complete systemctl output.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2175622, 2175623, 2175624 | ||
| Bug Blocks: | 2175273 | ||
|
Description
Sandipan Roy
2023-03-06 06:31:31 UTC
On https://github.com/systemd/systemd/issues/5666 upstream claims this is not a vulnerability. Upstream feature SYSTEMD_PAGERSECURE implemented in systemd version 247. systemd never claimed that 'systemctl' is suitable to being invoked via 'sudo'. It is definitely on the person creating sudo configuration to make sure that the invoked command does not have allow execution of arbitrary commands. For anything other than some specialized tools, this is very hard to ensure. In practice, I don't think this a very realistic concern. Commands like 'systemctl enable/disable/start/stop/restart/set-default/get-default' do not start the pager. Commands like 'systemctl status/show' do not require privileges, so there isn't much reason to use them under sudo, i.e. no reason to create sudo configuration to allow them to be called with privileges. Somebody has dug up a 5-year-old RFE issue to assign a CVE. Meh. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3837 https://access.redhat.com/errata/RHSA-2023:3837 Hello Team There is a container image, https://catalog.redhat.com/software/containers/ubi8/openjdk-17-runtime/618bdc5f843af1624c4e4ba8?tag=1.16-1.1687182770&push_date=1687373867000&container-tabs=packages the image used systems version is systemd-libs-239-74.el8_8.x86_64 RHSA fixed version is systemd-libs-239-74.el8_8.2.x86_64.rpm May I know we had plan to rebuild a new tag and include the fixed issue rpm Thank you On the ubi8 openjdk images there is no systemd, sudo, or systemctl relates to this CVE/RFE (agree with Zbigniew). Those are removed packages. This is N/A. ~~~ [jboss@4ed132880bb5 ~]$ rpm -qa | grep systemd systemd-libs-239-74.el8_8.x86_64 [jboss@4ed132880bb5 ~]$ id uid=185(jboss) gid=0(root) groups=0(root),185(jboss) [jboss@4ed132880bb5 ~]$ whoami jboss [jboss@4ed132880bb5 ~]$ systemctl daemon-reload bash: systemctl: command not found [jboss@4ed132880bb5 ~]$ systemctl bash: systemctl: command not found [jboss@4ed132880bb5 ~]$ sudo bash: sudo: command not found [jboss@4ed132880bb5 ~]$ systemd bash: systemd: command not found ~~~ This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1105 https://access.redhat.com/errata/RHSA-2024:1105 |