systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output. https://medium.com/@zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7 https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340 https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/
On https://github.com/systemd/systemd/issues/5666 upstream claims this is not a vulnerability. Upstream feature SYSTEMD_PAGERSECURE implemented in systemd version 247.
systemd never claimed that 'systemctl' is suitable to being invoked via 'sudo'. It is definitely on the person creating sudo configuration to make sure that the invoked command does not have allow execution of arbitrary commands. For anything other than some specialized tools, this is very hard to ensure. In practice, I don't think this a very realistic concern. Commands like 'systemctl enable/disable/start/stop/restart/set-default/get-default' do not start the pager. Commands like 'systemctl status/show' do not require privileges, so there isn't much reason to use them under sudo, i.e. no reason to create sudo configuration to allow them to be called with privileges. Somebody has dug up a 5-year-old RFE issue to assign a CVE. Meh.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3837 https://access.redhat.com/errata/RHSA-2023:3837
Hello Team There is a container image, https://catalog.redhat.com/software/containers/ubi8/openjdk-17-runtime/618bdc5f843af1624c4e4ba8?tag=1.16-1.1687182770&push_date=1687373867000&container-tabs=packages the image used systems version is systemd-libs-239-74.el8_8.x86_64 RHSA fixed version is systemd-libs-239-74.el8_8.2.x86_64.rpm May I know we had plan to rebuild a new tag and include the fixed issue rpm Thank you
On the ubi8 openjdk images there is no systemd, sudo, or systemctl relates to this CVE/RFE (agree with Zbigniew). Those are removed packages. This is N/A. ~~~ [jboss@4ed132880bb5 ~]$ rpm -qa | grep systemd systemd-libs-239-74.el8_8.x86_64 [jboss@4ed132880bb5 ~]$ id uid=185(jboss) gid=0(root) groups=0(root),185(jboss) [jboss@4ed132880bb5 ~]$ whoami jboss [jboss@4ed132880bb5 ~]$ systemctl daemon-reload bash: systemctl: command not found [jboss@4ed132880bb5 ~]$ systemctl bash: systemctl: command not found [jboss@4ed132880bb5 ~]$ sudo bash: sudo: command not found [jboss@4ed132880bb5 ~]$ systemd bash: systemd: command not found ~~~
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1105 https://access.redhat.com/errata/RHSA-2024:1105