Bug 2254983 (CVE-2023-6917)

Summary: CVE-2023-6917 pcp: unsafe use of directories allows pcp to root privilege escalation
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcp-6.2.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. While certain services operate within the confines of limited PCP user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may lead to the compromise of PCP user isolation and facilitate local PCP-to-root exploits, particularly through symlink attacks. These vulnerabilities underscore the importance of maintaining robust privilege separation mechanisms within PCP to mitigate the potential for unauthorized privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266585    
Bug Blocks: 2254977    

Description Mauro Matteo Cascella 2023-12-18 10:34:24 UTC 
Security issues in pcp on Linux were found by Matthias Gerstner (SUSE Linux security team). The systemd services coming with pcp run with mixed privileges. Some use only limited pcp user/group privileges, like "pmie_check.service". Others like "pmcd.service" run with full root privileges. In both contexts shared directory structures are used, though, like:

- /var/lib/pcp/tmp owned by pcp:pcp mode 775
- /var/log/pcp owned by pcp:pcp mode 775

When privileged root processes access files in directories or directory trees controlled by unprivileged users then easily security issues can result from this. For the directories listed above two exploitable issues were found that allow to break the pcp user isolation and allow local pcp to root exploits (via symlink attacks).
Comment 3 Sandipan Roy 2024-02-28 12:28:23 UTC 
Created pcp tracking bugs for this issue:

Affects: fedora-all [bug 2266585]
Comment 4 errata-xmlrpc 2024-04-30 09:49:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2213 https://access.redhat.com/errata/RHSA-2024:2213