CVE-2023-6917: Local Privilege Escalation in Performance Co-Pilot (PCP) Due to Mixed Privilege Levels in Systemd Services

A security vulnerability (CVE-2023-6917) has been discovered in the Performance Co-Pilot (PCP) package, presenting a significant risk of local privilege escalation. This vulnerability arises from inconsistent privilege levels used by certain systemd services associated with PCP. While some services operate within limited PCP user/group privileges, others are granted full root access. This inconsistency creates a potential attack vector when privileged root processes interact with directories or directory trees owned by unprivileged PCP users.

In this post, we will outline the specifics of this vulnerability, provide code snippets to demonstrate the issue, and deliver pointers to the original references. We will also discuss the exploit details and emphasize the importance of maintaining robust privilege separation mechanisms within PCP to mitigate the potential for unauthorized privilege escalation.

Vulnerability Details

The CVE-2023-6917 vulnerability lies in the potential compromise of PCP user isolation when certain privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may enable a local PCP-to-root exploit through symlink attacks.

Here's a code snippet that demonstrates the root of the problem

# This is an example of service configuration 

[Unit]
Description=Performance Co-Pilot Service
Requires=pcp.service
After=pcp.service

[Service]
Type=simple
ExecStart=/bin/sh -c 'exec /usr/libexec/pcp/bin/some_pcp_service --some-parameters'
User=root
Group=root

[Install]
WantedBy=multi-user.target

In the snippet above, notice how the systemd service configuration grants root user and group privileges to the service. This disparity between privileges can lead to a compromised PCP user isolation and facilitate local PCP-to-root exploits.

Exploit Details and Scenario

An attacker with access to the PCP user account can create a symlink pointing to an arbitrary file system location. When a privileged root process writes data to that location, it can potentially overwrite sensitive data or cause other negative effects on the system.

Suppose the PCP log-rotating process executes with root privileges, as shown in the code snippet above. An attacker who has access to a PCP user account could create a symlink that points to a sensitive file, such as /etc/passwd. When the log rotation process writes its output, it could potentially overwrite the contents of the /etc/passwd file, leading to unauthorized access or, in a worst-case scenario, rendering the system inoperable.

For more information about CVE-2023-6917, you can refer to the following official sources

- PCP official GitHub repository
- The National Vulnerability Database (NVD)

Conclusion and Recommendations

To mitigate CVE-2023-6917 and similar vulnerabilities, it is crucial to maintain proper privilege separation mechanisms within PCP. Ensuring that all services operate within a confined user and group privilege context can prevent unauthorized privilege escalation.

Developers responsible for managing the PCP package should take the following steps

- Review the privilege levels assigned to each systemd service configuration and ensure they are limited to a specific PCP user/group when possible.
- Regularly audit the codebase to identify vulnerable privilege assignments and address any inconsistencies.
- Keep the PCP package up-to-date with the latest security patches to protect against known vulnerabilities.

By following these recommendations, it is possible to prevent unauthorized privilege escalation and maintain the overall security and integrity of the Performance Co-Pilot system.

Timeline

Published on: 02/28/2024 15:15:07 UTC
Last modified on: 02/29/2024 13:49:47 UTC