CVE-2023-33204 – CVE-2023-33204 is an integer overflow vulnerabi... (How to Fix)

📋 TL;DR

CVE-2023-33204 is an integer overflow vulnerability in sysstat's check_overflow function that could allow attackers to cause denial of service or potentially execute arbitrary code. This affects systems running sysstat versions through 12.7.2. The vulnerability exists due to incomplete fixes for the previous CVE-2022-39377.

💻 Affected Systems

Products:

sysstat

Versions: Versions through 12.7.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of vulnerable sysstat versions regardless of configuration

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities

🟠

Likely Case

Denial of service through application crash or memory corruption

🟢

If Mitigated

Limited impact with proper privilege separation and memory protection mechanisms

🌐 Internet-Facing: LOW - sysstat is typically not exposed to external networks

🏢 Internal Only: MEDIUM - sysstat is commonly installed on Linux systems for monitoring

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access or ability to trigger sysstat functions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.7.3 and later

Vendor Advisory: https://github.com/sysstat/sysstat/pull/360

Restart Required: No

Instructions:

1. Update sysstat package using your distribution's package manager
2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade sysstat
3. For RHEL/CentOS/Fedora: sudo yum update sysstat or sudo dnf update sysstat
4. For source installations: Download and compile from sysstat GitHub repository

🔧 Temporary Workarounds

Remove sysstat package

linux

Uninstall sysstat if not required for system monitoring

sudo apt remove sysstat
sudo yum remove sysstat
sudo dnf remove sysstat

Restrict sysstat execution

linux

Limit which users can execute sysstat commands

sudo chmod 750 /usr/bin/sar
sudo chmod 750 /usr/bin/sadc

🧯 If You Can't Patch

Implement strict access controls to limit who can execute sysstat utilities
Monitor system logs for unusual sysstat process activity or crashes

🔍 How to Verify

Check if Vulnerable:

Check sysstat version with: sar --version or sadc --version

Check Version:

sar --version 2>/dev/null || sadc --version 2>/dev/null || dpkg -l sysstat 2>/dev/null || rpm -q sysstat 2>/dev/null

Verify Fix Applied:

Verify version is 12.7.3 or higher: sar --version | grep -E '12\.7\.([3-9]|[1-9][0-9])|1[3-9]'

📡 Detection & Monitoring

Log Indicators:

Segmentation faults in sysstat processes
Abnormal memory usage by sysstat utilities
Unexpected sysstat process termination

Network Indicators:

None - this is a local vulnerability

SIEM Query:

process.name: ("sar", "sadc", "sysstat") AND (event.type: "segmentation_fault" OR event.type: "memory_violation")

📊 Metadata

CVE ID: CVE-2023-33204

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: May 18, 2023

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33204, you might also want to check these: