Bug 2254983 (CVE-2023-6917) - CVE-2023-6917 pcp: unsafe use of directories allows pcp to root privilege escalation
Summary: CVE-2023-6917 pcp: unsafe use of directories allows pcp to root privilege esc...
Status: NEW
Alias: CVE-2023-6917
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2266585
Blocks: 2254977
TreeView+ depends on / blocked
Reported: 2023-12-18 10:34 UTC by Mauro Matteo Cascella
Modified: 2024-04-30 09:49 UTC (History)
1 user (show)

Fixed In Version: pcp-6.2.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. While certain services operate within the confines of limited PCP user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may lead to the compromise of PCP user isolation and facilitate local PCP-to-root exploits, particularly through symlink attacks. These vulnerabilities underscore the importance of maintaining robust privilege separation mechanisms within PCP to mitigate the potential for unauthorized privilege escalation.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2213 0 None None None 2024-04-30 09:49:36 UTC

Description Mauro Matteo Cascella 2023-12-18 10:34:24 UTC
Security issues in pcp on Linux were found by Matthias Gerstner (SUSE Linux security team). The systemd services coming with pcp run with mixed privileges. Some use only limited pcp user/group privileges, like "pmie_check.service". Others like "pmcd.service" run with full root privileges. In both contexts shared directory structures are used, though, like:

- /var/lib/pcp/tmp owned by pcp:pcp mode 775
- /var/log/pcp owned by pcp:pcp mode 775

When privileged root processes access files in directories or directory trees controlled by unprivileged users then easily security issues can result from this. For the directories listed above two exploitable issues were found that allow to break the pcp user isolation and allow local pcp to root exploits (via symlink attacks).

Comment 3 Sandipan Roy 2024-02-28 12:28:23 UTC
Created pcp tracking bugs for this issue:

Affects: fedora-all [bug 2266585]

Comment 4 errata-xmlrpc 2024-04-30 09:49:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2213 https://access.redhat.com/errata/RHSA-2024:2213

Note You need to log in before you can comment on or make changes to this bug.