Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-26604

CVE-2023-26604: systemd Privilege Escalation Vulnerability

CVE-2023-26604 is a privilege escalation vulnerability in systemd before version 247 that allows local attackers to gain root access via Sudo configurations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2023-26604 Overview

CVE-2023-26604 is a local privilege escalation vulnerability in systemd versions before 247. The flaw exists because systemd does not adequately block privilege escalation when used with certain Sudo configurations. Specifically, systemd fails to set the LESSSECURE=1 environment variable when invoking the less pager program, which allows users to escape to a shell or launch arbitrary programs from within less. When systemctl status is executed via Sudo and the terminal window is too small to display complete output, the less pager runs with root privileges, enabling an attacker with limited Sudo access to escalate to full root privileges.

Critical Impact

Local users with Sudo permissions to run systemctl status can escape the less pager to execute arbitrary commands as root, achieving complete system compromise.

Affected Products

  • systemd_project systemd (versions prior to 247)
  • debian debian_linux 10.0

Discovery Timeline

  • 2023-03-03 - CVE-2023-26604 published to NVD
  • 2025-06-20 - Last updated in NVD database

Technical Details for CVE-2023-26604

Vulnerability Analysis

This vulnerability represents a privilege escalation flaw rooted in insecure program invocation practices. The core issue stems from systemd's use of the less pager without proper security restrictions when displaying output from commands like systemctl status.

The less program has built-in functionality that allows users to execute shell commands by typing ! followed by a command, or to invoke external editors. When LESSSECURE=1 is set, these dangerous features are disabled. However, systemd versions prior to 247 do not set this environment variable, creating an escalation path.

The exploitation scenario requires a specific but common configuration: a sudoers entry that permits a user to run systemctl status (or similar systemctl commands) without a password. When the attacker executes this command via Sudo and resizes the terminal to force pager activation, less runs with elevated privileges. From within less, the attacker can spawn a root shell.

Root Cause

The root cause is systemd's failure to implement the LESSSECURE=1 environment variable when invoking the less pager. This omission allows the pager's interactive features—specifically shell escape functionality—to remain active even when running with elevated privileges via Sudo. The vulnerability falls under CWE-269 (Improper Privilege Management), as the application fails to properly restrict dangerous functionality when operating in a privileged context.

Attack Vector

The attack requires local access and relies on a specific but common sudoers configuration pattern. The attacker must have Sudo permissions to execute systemctl commands. The exploitation flow involves:

  1. The attacker identifies a sudoers entry allowing execution of systemctl status or similar commands
  2. The attacker resizes the terminal window to be smaller than the command output
  3. When executed via Sudo, less launches as root to paginate the output
  4. Within less, the attacker types !sh or !/bin/bash to spawn a root shell
  5. The attacker now has full root access to the system

This attack is particularly dangerous because sudoers entries permitting systemctl status are often considered safe by administrators, as the command appears to be read-only. Technical details of exploitation techniques can be found in the Packet Storm Exploit Report and Compass Security Blog Post.

Detection Methods for CVE-2023-26604

Indicators of Compromise

  • Unusual shell processes spawned as child processes of less running under root privileges
  • Audit log entries showing interactive shell invocations immediately following systemctl status commands executed via Sudo
  • Process tree anomalies where sudosystemctlless chains spawn unexpected child processes
  • User session histories containing patterns of terminal resizing followed by systemctl commands

Detection Strategies

  • Monitor for less processes running as root that spawn shell subprocesses using process relationship analysis
  • Implement auditd rules to track executions of systemctl via Sudo and correlate with subsequent process creation events
  • Deploy endpoint detection rules that alert on shell escape sequences (!sh, !/bin/bash) in process command lines under elevated contexts
  • Use SentinelOne's behavioral AI to detect anomalous privilege escalation patterns involving pager programs

Monitoring Recommendations

  • Enable comprehensive command logging for all Sudo executions, particularly those involving systemctl
  • Configure auditd to monitor process creation events with parent process correlation to identify pager escape attacks
  • Implement alerting on any interactive shell spawned from pager processes running under elevated privileges
  • Review sudoers configurations periodically to identify potentially dangerous entries that permit systemctl access

How to Mitigate CVE-2023-26604

Immediate Actions Required

  • Upgrade systemd to version 247 or later where LESSSECURE=1 is properly enforced
  • Audit all sudoers files for entries that permit execution of systemctl commands and evaluate necessity
  • Set the LESSSECURE=1 environment variable system-wide as a defense-in-depth measure
  • Consider using sudoedit or more restrictive Sudo configurations that specify NOEXEC for systemctl commands

Patch Information

The vulnerability was addressed in systemd version 247, which includes the fix to set LESSSECURE=1 when invoking the less pager. For detailed information about the fix, refer to the GitHub Systemd Updates. Debian users should consult the Debian LTS Security Announcement for distribution-specific patching guidance. NetApp customers should review the NetApp Security Advisory for affected products.

Workarounds

  • Add Defaults env_keep += "LESSSECURE" to sudoers and ensure LESSSECURE=1 is exported in system-wide profile scripts
  • Modify sudoers entries to use NOEXEC tag for systemctl commands: user ALL=(root) NOEXEC: /bin/systemctl status *
  • Use alternative pagers that do not have shell escape functionality by setting SYSTEMD_PAGER=cat in environment configurations
  • Remove or restrict sudoers entries that permit systemctl execution until systems can be patched
bash
# Workaround configuration example
# Add to /etc/sudoers.d/systemctl-hardening
Defaults!/bin/systemctl env_keep += "LESSSECURE"
Defaults!/usr/bin/systemctl env_keep += "LESSSECURE"

# Add to /etc/profile.d/lesssecure.sh
export LESSSECURE=1

# Alternative: Use NOEXEC to prevent shell escapes
# user ALL=(root) NOEXEC: /bin/systemctl status *

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.