CVE-2023-1326
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in apport-cli versions 2.26.0 and earlier. It allows unprivileged users to gain root privileges when specific conditions are met: sudo is configured to allow running apport-cli, 'less' is configured as the pager, and terminal size can be manipulated. This primarily affects Ubuntu systems with non-default sudo configurations.
💻 Affected Systems
- apport-cli
📦 What is this software?
Apport by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, persistence, and lateral movement.
Likely Case
Limited impact due to the specific configuration requirements; most systems won't have the vulnerable sudo configuration, making exploitation unlikely in practice.
If Mitigated
No impact if sudo is not configured to allow unprivileged users to run apport-cli or if the system is patched.
🎯 Exploit Status
Exploitation requires local access and specific configuration conditions. Similar to CVE-2023-26604, making adaptation of existing exploits likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.26.1 and later
Vendor Advisory: https://ubuntu.com/security/notices/USN-6018-1
Restart Required: No
Instructions:
1. Update apport package: sudo apt update && sudo apt upgrade apport
2. Verify version is 2.26.1 or later: dpkg -l | grep apport
🔧 Temporary Workarounds
Remove vulnerable sudo configuration
linuxRemove or restrict sudo permissions that allow unprivileged users to run apport-cli
sudo visudo
# Remove lines granting apport-cli access to unprivileged users
Change default pager
linuxConfigure system to use a different pager than 'less'
export PAGER=more
# Add to shell profile or system-wide
🧯 If You Can't Patch
- Review and restrict sudo configurations to prevent unprivileged users from running apport-cli
- Implement strict terminal environment controls to prevent terminal size manipulation
🔍 How to Verify
Check if Vulnerable:
Check apport version: dpkg -l | grep apport | grep '^ii' | awk '{print $3}'. If version is 2.26.0 or earlier, system is vulnerable if configured as described.Check Version:
dpkg -l | grep apport | grep '^ii' | awk '{print $3}'Verify Fix Applied:
Verify apport version is 2.26.1 or later: dpkg -l | grep apport | grep '^ii' | awk '{print $3}'📡 Detection & Monitoring
Log Indicators:
- Unusual sudo apport-cli executions from non-privileged users
- Terminal size manipulation attempts followed by privilege escalation
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
source="sudo.log" AND "apport-cli" AND user!="root"