CVE-2023-26604 – This vulnerability allows local privilege escal... (How to Fix)

Q: What is the severity of CVE-2023-26604?

CVE-2023-26604 has a CVSS score of 7.8 (HIGH). This vulnerability allows local privilege escalation when users run 'systemctl status' via Sudo in certain configurations. Attackers can escape from the less pager to execute arbitrary commands with root privileges. Systems running systemd versions before 247 with permissive sudoers configurations are affected.

📋 TL;DR

This vulnerability allows local privilege escalation when users run 'systemctl status' via Sudo in certain configurations. Attackers can escape from the less pager to execute arbitrary commands with root privileges. Systems running systemd versions before 247 with permissive sudoers configurations are affected.

💻 Affected Systems

Products:

systemd

Versions: All versions before 247

Operating Systems: Linux distributions using systemd

Default Config Vulnerable: ✅ No

Notes: Requires specific sudoers configuration allowing 'systemctl status' command execution.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Systemd by Systemd Project

View all CVEs affecting Systemd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges and complete system compromise.

🟠

Likely Case

Privileged user accidentally or maliciously escalates privileges through legitimate sudo access.

🟢

If Mitigated

Minimal impact with proper sudoers restrictions and updated systemd.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access.

🏢 Internal Only: HIGH - Internal users with sudo access to systemctl can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and sudo privileges for systemctl status command.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: systemd 247 and later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html

Restart Required: No

Instructions:

1. Update systemd to version 247 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade systemd. 3. For RHEL/CentOS: sudo yum update systemd. 4. For Arch: sudo pacman -Syu systemd.

🔧 Temporary Workarounds

Restrict sudoers configuration

linux

Remove or restrict 'systemctl status' commands in sudoers files to prevent exploitation.

sudo visudo
# Review and modify sudoers entries to restrict systemctl commands

Set LESSSECURE environment variable

linux

Manually set LESSSECURE=1 to prevent less from executing external commands.

export LESSSECURE=1
# Add to shell profiles or systemd service files

🧯 If You Can't Patch

Review and restrict sudoers configurations to remove 'systemctl status' permissions
Implement strict access controls and monitor for unusual privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check systemd version with 'systemd --version' and verify if below 247. Review sudoers with 'sudo -l' for systemctl permissions.

Check Version:

systemd --version | head -n1

Verify Fix Applied:

Confirm systemd version is 247 or higher with 'systemd --version'. Test that LESSSECURE is set when running systemctl.

📡 Detection & Monitoring

Log Indicators:

Unusual sudo executions of systemctl status
Privilege escalation attempts in audit logs
Unexpected root shell spawns from less

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

source="sudo" AND command="systemctl status" | stats count by user, host

📊 Metadata

CVE ID: CVE-2023-26604

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: March 3, 2023

Last Updated: June 20, 2025

🔗 References

http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html Exploit,Third Party Advisory
https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/ Exploit,Third Party Advisory
https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340 Release Notes
https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html Mailing List,Third Party Advisory
https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7 Third Party Advisory
https://security.netapp.com/advisory/ntap-20230505-0009/ Third Party Advisory
http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html Exploit,Third Party Advisory
https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/ Exploit,Third Party Advisory
https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340 Release Notes
https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html Mailing List,Third Party Advisory
https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7 Third Party Advisory
https://security.netapp.com/advisory/ntap-20230505-0009/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26604, you might also want to check these: