CVE-2023-6507 Overview
A privilege escalation vulnerability was discovered in CPython 3.12.0's subprocess module on POSIX platforms. When using the extra_groups= parameter with an empty list (extra_groups=[]), the logic regressed and failed to call setgroups(0, NULL) before calling exec(), resulting in the child process retaining the original process's group memberships instead of dropping them as intended.
This security flaw means that when a privileged process (typically running as root) spawns a subprocess with the explicit intention of clearing supplementary group memberships, those groups are unexpectedly preserved, potentially granting the subprocess access to resources it should not have.
Critical Impact
Privileged CPython processes using subprocess with extra_groups=[] fail to drop group memberships, potentially allowing child processes to retain elevated privileges and access protected resources.
Affected Products
- Python 3.12.0
- Python 3.13.0 Alpha 1
- Python 3.13.0 Alpha 2
Discovery Timeline
- 2023-12-08 - CVE-2023-6507 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-6507
Vulnerability Analysis
This vulnerability represents a Privilege Escalation flaw introduced as a logic regression in CPython 3.12.0. The issue resides in the _posixsubprocess.c module, specifically in how the extra_groups parameter is handled during process creation.
The vulnerability only impacts CPython processes run with sufficient privilege to make the setgroups system call (typically root). When extra_groups=[] is passed to subprocess.Popen or related APIs, the intention is to clear all supplementary groups before executing the new process. However, due to the logic bug, the setgroups(0, NULL) call was skipped entirely.
Additionally, this regression caused a performance issue where the fast-path vfork() system call was no longer used when it should have been, instead falling back to the slower fork() system call.
Root Cause
The root cause was a conditional check in Modules/_posixsubprocess.c that used extra_group_size > 0 instead of extra_group_size >= 0. This meant that when an empty list was passed (resulting in extra_group_size being 0), the condition evaluated to false and the setgroups() call was never made.
The fix changes the condition from:
if (extra_group_size > 0)
POSIX_CALL(setgroups(extra_group_size, extra_groups));
To:
if (extra_group_size >= 0) {
assert((extra_group_size == 0) == (extra_groups == NULL));
POSIX_CALL(setgroups(extra_group_size, extra_groups));
}
Source: GitHub Commit
Attack Vector
The attack vector requires an attacker to have access to a system where a privileged Python application uses the subprocess module with extra_groups=[]. In this scenario:
- The privileged application (running as root) spawns a subprocess intended to run with cleared group memberships
- Due to the bug, the subprocess retains all supplementary groups from the parent process
- The subprocess may now have access to files, directories, or resources protected by group permissions
- An attacker who can influence or control the spawned subprocess could leverage these retained privileges
// The vulnerable code path in Modules/_posixsubprocess.c
#ifdef HAVE_SETGROUPS
if (extra_group_size > 0)
POSIX_CALL(setgroups(extra_group_size, extra_groups));
#endif /* HAVE_SETGROUPS */
Source: GitHub Commit
Detection Methods for CVE-2023-6507
Indicators of Compromise
- Python applications using subprocess.Popen or related APIs with extra_groups=[] parameter on Python 3.12.0
- Child processes unexpectedly retaining supplementary group memberships when they should have been cleared
- Audit logs showing subprocess access to group-protected resources that should have been denied
Detection Strategies
- Audit Python codebases for usage of subprocess.Popen, subprocess.run, or related functions with extra_groups=[]
- Monitor system calls using strace or auditd to detect missing setgroups(0, NULL) calls in privileged Python subprocess execution
- Review application logs for unexpected resource access patterns from Python subprocesses
Monitoring Recommendations
- Implement file integrity monitoring on systems running vulnerable Python versions
- Configure Linux audit rules to track setgroups system calls from Python processes running as root
- Monitor for Python 3.12.0 installations in your environment and prioritize upgrade tracking
How to Mitigate CVE-2023-6507
Immediate Actions Required
- Upgrade CPython to version 3.12.1 or later immediately
- Identify all applications using the subprocess module with the extra_groups parameter
- Review and audit any applications that run Python subprocesses with elevated privileges
- Consider temporarily avoiding the use of extra_groups=[] until patched
Patch Information
The vulnerability was fixed in CPython 3.12.1. Multiple commits address both the security vulnerability and the related performance regression:
- Primary fix for 3.12 - Restores subprocess's use of vfork() and fixes extra_groups=[] behavior
- Fix for main branch - Applies the same fix to the development branch
- Regression test addition - Adds strace dependency for testing vfork usage
The official Python Security Announcement provides additional details.
Workarounds
- If upgrading is not immediately possible, explicitly specify groups to keep rather than using an empty list (extra_groups=[])
- Run applications using subprocess with extra_groups as an unprivileged user where possible
- Implement additional access controls at the filesystem level to reduce impact of retained group memberships
# Check your Python version
python3 --version
# If running 3.12.0, upgrade immediately
# On Debian/Ubuntu:
sudo apt update && sudo apt upgrade python3
# Verify the fix is applied (version should be 3.12.1 or later)
python3 -c "import sys; print(sys.version)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
