CVE-2023-1326: Canonical Apport Privilege Escalation Flaw

CVE-2023-1326 Overview

A privilege escalation vulnerability was discovered in apport-cli version 2.26.0 and earlier. This vulnerability is similar to CVE-2023-26604 and allows a local attacker to escalate privileges under specific system configurations. The attack requires that unprivileged users are configured to run sudo apport-cli, that less is configured as the pager, and that the terminal size can be manipulated by the attacker.

Critical Impact
Local privilege escalation to root through pager command execution when apport-cli is run with elevated privileges via sudo. While the specific configuration requirements make exploitation unlikely in default deployments, systems with permissive sudo configurations for apport-cli are at risk.

Affected Products

Canonical Apport version 2.26.0 and earlier
Ubuntu Linux 18.04 LTS
Ubuntu Linux 20.04 LTS
Ubuntu Linux 22.04 LTS
Ubuntu Linux 22.10

Discovery Timeline

April 13, 2023 - CVE-2023-1326 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-1326

Vulnerability Analysis

This privilege escalation vulnerability stems from improper privilege management (CWE-269) in the apport-cli utility. When apport-cli is executed with elevated privileges through sudo or pkexec, and the system uses less as the default pager, the pager process inherits the elevated privileges. An attacker who can control the terminal size can trigger less to spawn a shell with root privileges.

The core issue is that the sensible-pager command was being executed with root privileges rather than dropping privileges to the original calling user. This creates a pathway for privilege escalation since less supports shell escape functionality that allows command execution.

Root Cause

The vulnerability exists because the apport-cli tool failed to properly drop privileges when invoking the system pager. When a user runs sudo apport-cli, the entire process, including any spawned subprocesses like the pager, runs with root privileges. The less pager supports various shell escape commands (such as !command syntax) that execute with the privileges of the parent process, enabling an attacker to spawn a root shell.

Attack Vector

This is a local attack vector requiring the attacker to have shell access to the target system. The exploitation chain requires:

A sudo configuration that allows unprivileged users to run apport-cli with elevated privileges
The less command configured as the system pager
The ability to manipulate terminal size to trigger the pager display
Knowledge of less shell escape sequences to spawn a privileged shell

The patch modifies the code to use run_as_real_user() when invoking the pager, ensuring the pager process runs with the original user's privileges rather than root:

python

     }
 
 
-def run_as_real_user(args: list[str]) -> None:
+def run_as_real_user(
+    args: list[str], *, get_user_env: bool = False, **kwargs
+) -> None:
     """Call subprocess.run as real user if called via sudo/pkexec.
 
     If we are called through pkexec/sudo, determine the real user ID and
     run the command with it to get the user's web browser settings.
+    If get_user_env is set to True, the D-BUS address and XDG_DATA_DIRS
+    is grabbed from a running gvfsd and added to the process environment.
     """
     uid = _get_env_int("SUDO_UID", _get_env_int("PKEXEC_UID"))
     if uid is None or not get_process_user_and_group().is_root():
-        subprocess.run(args, check=False)
+        subprocess.run(args, check=False, **kwargs)
         return
 
     pwuid = pwd.getpwuid(uid)

Source: GitHub Commit e5f78cc89f1f5888b6a56b785dddcb0364c48ecb

The corresponding change in bin/apport-cli replaces the direct subprocess call with the secure function:

text

         self.in_update_view = True
         report = self._get_details()
         try:
-            subprocess.run(
+            apport.ui.run_as_real_user(
                 ["/usr/bin/sensible-pager"],
-                check=False,
                 input=report.encode("UTF-8"),
                 stdout=stdout,
             )

Source: GitHub Commit e5f78cc89f1f5888b6a56b785dddcb0364c48ecb

Detection Methods for CVE-2023-1326

Indicators of Compromise

Unexpected shell processes spawned as child processes of less running under apport-cli
Unusual sudo apport-cli command executions by unprivileged users
Process trees showing privilege escalation patterns from pager to shell

Detection Strategies

Monitor for sudo apport-cli executions in system logs and audit trails
Implement auditd rules to track executions of /usr/bin/apport-cli with elevated privileges
Watch for shell escape patterns in process monitoring where less spawns /bin/sh or /bin/bash
Review sudoers configurations for overly permissive apport-cli entries

Monitoring Recommendations

Enable command-line auditing with auditd for apport-related binaries
Configure SIEM alerts for anomalous sudo usage patterns involving apport
Monitor process parent-child relationships for suspicious privilege transitions
Review and baseline normal apport-cli usage patterns in your environment

How to Mitigate CVE-2023-1326

Immediate Actions Required

Update Canonical Apport to the latest patched version immediately
Review and restrict sudoers configurations to remove unnecessary apport-cli permissions
Consider using an alternative pager that does not support shell escapes for system utilities
Audit systems for any evidence of exploitation attempts

Patch Information

Canonical has released security updates to address this vulnerability. The fix is documented in Ubuntu Security Notice USN-6018-1. The patch ensures that when apport-cli is run with elevated privileges via sudo or pkexec, the pager process is executed with the original user's privileges rather than root privileges. The specific commit implementing this fix is available at GitHub commit e5f78cc89f1f5888b6a56b785dddcb0364c48ecb.

Workarounds

Remove any sudoers entries that allow unprivileged users to run apport-cli with elevated privileges
Configure an alternative pager (e.g., cat or more) that does not support shell escape functionality
Restrict access to the apport-cli command entirely for non-administrative users
Implement mandatory access control policies (AppArmor/SELinux) to limit apport-cli process capabilities

bash

# Configuration example
# Review and remove overly permissive sudoers entries
sudo visudo -f /etc/sudoers.d/apport-cli

# Remove or comment out lines like:
# ALL ALL=(ALL) NOPASSWD: /usr/bin/apport-cli

# Alternative: Set a safer pager system-wide
echo 'export PAGER=/bin/cat' >> /etc/environment

CVE-2023-1326 Overview

Critical Impact
Local privilege escalation to root through pager command execution when apport-cli is run with elevated privileges via sudo. While the specific configuration requirements make exploitation unlikely in default deployments, systems with permissive sudo configurations for apport-cli are at risk.

Affected Products

Canonical Apport version 2.26.0 and earlier
Ubuntu Linux 18.04 LTS
Ubuntu Linux 20.04 LTS
Ubuntu Linux 22.04 LTS
Ubuntu Linux 22.10

Discovery Timeline

April 13, 2023 - CVE-2023-1326 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-1326

Vulnerability Analysis

Root Cause

Attack Vector

This is a local attack vector requiring the attacker to have shell access to the target system. The exploitation chain requires:

A sudo configuration that allows unprivileged users to run apport-cli with elevated privileges
The less command configured as the system pager
The ability to manipulate terminal size to trigger the pager display
Knowledge of less shell escape sequences to spawn a privileged shell

The patch modifies the code to use run_as_real_user() when invoking the pager, ensuring the pager process runs with the original user's privileges rather than root:

python

     }
 
 
-def run_as_real_user(args: list[str]) -> None:
+def run_as_real_user(
+    args: list[str], *, get_user_env: bool = False, **kwargs
+) -> None:
     """Call subprocess.run as real user if called via sudo/pkexec.
 
     If we are called through pkexec/sudo, determine the real user ID and
     run the command with it to get the user's web browser settings.
+    If get_user_env is set to True, the D-BUS address and XDG_DATA_DIRS
+    is grabbed from a running gvfsd and added to the process environment.
     """
     uid = _get_env_int("SUDO_UID", _get_env_int("PKEXEC_UID"))
     if uid is None or not get_process_user_and_group().is_root():
-        subprocess.run(args, check=False)
+        subprocess.run(args, check=False, **kwargs)
         return
 
     pwuid = pwd.getpwuid(uid)

Source: GitHub Commit e5f78cc89f1f5888b6a56b785dddcb0364c48ecb

The corresponding change in bin/apport-cli replaces the direct subprocess call with the secure function:

text

         self.in_update_view = True
         report = self._get_details()
         try:
-            subprocess.run(
+            apport.ui.run_as_real_user(
                 ["/usr/bin/sensible-pager"],
-                check=False,
                 input=report.encode("UTF-8"),
                 stdout=stdout,
             )

Source: GitHub Commit e5f78cc89f1f5888b6a56b785dddcb0364c48ecb

Detection Methods for CVE-2023-1326

Indicators of Compromise

Unexpected shell processes spawned as child processes of less running under apport-cli
Unusual sudo apport-cli command executions by unprivileged users
Process trees showing privilege escalation patterns from pager to shell

Detection Strategies

Monitor for sudo apport-cli executions in system logs and audit trails
Implement auditd rules to track executions of /usr/bin/apport-cli with elevated privileges
Watch for shell escape patterns in process monitoring where less spawns /bin/sh or /bin/bash
Review sudoers configurations for overly permissive apport-cli entries

Monitoring Recommendations

Enable command-line auditing with auditd for apport-related binaries
Configure SIEM alerts for anomalous sudo usage patterns involving apport
Monitor process parent-child relationships for suspicious privilege transitions
Review and baseline normal apport-cli usage patterns in your environment

How to Mitigate CVE-2023-1326

Immediate Actions Required

Update Canonical Apport to the latest patched version immediately
Review and restrict sudoers configurations to remove unnecessary apport-cli permissions
Consider using an alternative pager that does not support shell escapes for system utilities
Audit systems for any evidence of exploitation attempts

Patch Information

Workarounds

Remove any sudoers entries that allow unprivileged users to run apport-cli with elevated privileges
Configure an alternative pager (e.g., cat or more) that does not support shell escape functionality
Restrict access to the apport-cli command entirely for non-administrative users
Implement mandatory access control policies (AppArmor/SELinux) to limit apport-cli process capabilities

bash

# Configuration example
# Review and remove overly permissive sudoers entries
sudo visudo -f /etc/sudoers.d/apport-cli

# Remove or comment out lines like:
# ALL ALL=(ALL) NOPASSWD: /usr/bin/apport-cli

# Alternative: Set a safer pager system-wide
echo 'export PAGER=/bin/cat' >> /etc/environment

CVE-2023-1326: Canonical Apport Privilege Escalation Flaw

CVE-2023-1326 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-1326

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-1326

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-1326

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-1326: Canonical Apport Privilege Escalation Flaw

CVE-2023-1326 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-1326

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-1326

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-1326

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform