CVE-2023-43116
📋 TL;DR
This vulnerability allows a malicious buildkite-agent user to change ownership of arbitrary directories via a symbolic link attack in the fix-buildkite-agent-builds-permissions script. It affects Buildkite Elastic CI for AWS versions before 6.7.1 and 5.22.5. Attackers could escalate privileges or disrupt system operations.
💻 Affected Systems
- Buildkite Elastic CI for AWS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to root, allowing arbitrary file manipulation, service disruption, or lateral movement within the CI/CD environment.
Likely Case
Local privilege escalation within the CI/CD environment, enabling unauthorized access to sensitive build artifacts, credentials, or configuration files.
If Mitigated
Limited impact with proper user isolation and minimal permissions for buildkite-agent, restricting damage to non-critical directories.
🎯 Exploit Status
Exploitation requires local access as buildkite-agent user; symbolic link manipulation is straightforward for attackers with basic Linux knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7.1 or 5.22.5
Vendor Advisory: https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md
Restart Required: Yes
Instructions:
1. Update Buildkite Elastic CI for AWS to version 6.7.1 or 5.22.5. 2. Restart the Buildkite agent service. 3. Verify the fix-buildkite-agent-builds-permissions script no longer follows symbolic links.
🔧 Temporary Workarounds
Remove script execution permissions
linuxTemporarily disable the vulnerable script by removing execute permissions
chmod -x /path/to/fix-buildkite-agent-builds-permissions
Restrict PIPELINE_PATH variable
linuxControl the PIPELINE_PATH environment variable to prevent user manipulation
export PIPELINE_PATH=/safe/path && chown -R buildkite-agent:buildkite-agent "$PIPELINE_PATH"
🧯 If You Can't Patch
- Restrict buildkite-agent user permissions to minimal required directories using chroot or container isolation.
- Implement strict monitoring of file ownership changes and symbolic link creation in build directories.
🔍 How to Verify
Check if Vulnerable:
Check if fix-buildkite-agent-builds-permissions script exists and follows symbolic links when PIPELINE_PATH contains a symlink.Check Version:
buildkite-agent --versionVerify Fix Applied:
Verify script version is 6.7.1/5.22.5 or later and test that symbolic links in PIPELINE_PATH no longer cause ownership changes.📡 Detection & Monitoring
Log Indicators:
- Unexpected chown operations by buildkite-agent user
- Symbolic link creation in build directories
- Permission denied errors for root-owned files
Network Indicators:
- Unusual outbound connections from build agents post-exploitation
SIEM Query:
source="buildkite.log" AND (event="chown" OR event="symlink") AND user="buildkite-agent"