Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 1 Feb 2023 11:05:49 +0100
From: Matthias Gerstner <>
Subject: Re: pesign: Local privilege escalation on pesign
 systemd service


On Tue, Jan 31, 2023 at 12:59:19PM -0300, Marco Benatto wrote:
> a local privilege escalation vulnerability was found in pesign. This
> vulnerability has been identified by CVE-2022-3560.

I would like to add some more details about the vulnerability:

The project ships a systemd service file that starts a pesign daemon
instance but also runs a StartPost script:

ExecStart=/usr/bin/pesign --daemonize

This pesign-authorize script is run with root privileges and grants a
dynamic list of users and groups recursively full access to
/etc/pki/pesign*/ and /run/pesign via POSIX access control lists.

The list of users is found in the root controlled files
/etc/pesign/users and /etc/pesign/groups. By default only pesign:pesign
are configured.

# The Vulnerability

Since the pesign-authorize script is run at every start of the pesign
service unit, the directory trees /etc/pki/pesign* and /run/pesign will
already be controlled by the unprivileged pesign:pesign user and group.
The script does not take precautions to prevent symlink attacks being
staged by a compromised unprivileged user account.

A simple demonstration of the attack would be this:

root# sudo -u pesign -g pesign ln -s /root /etc/pki/pesign/attack
root# systemctl restart pesign
root# getfactl /root
# file: root/
# owner: root
# group: root

Therefore in a default configuration of pesign there is a local pesign
user or pesign group to root escalation that can be achieved at every
pesign.service unit start.

I reproduced this on Fedora 35 using pesign version 113 release 18.fc35.

# Timeline

- 2022-10-11: I reported this to  offering
  coordinated disclosure.
- 2022-10-18: RedHat security assigned the CVE for the issue
- 2022-12-21: RedHat security communicated a coordinated release date
  for 2023-01-31.
- 2023-01-27: RedHat security shared the patch with us and informed the
  distros mailing list about issue and the upcoming release
- 2023-01-31: the issue has been published



Matthias Gerstner <>
Security Engineer
GPG Key ID: 0x14C405C971923553
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.