CVE-2023-6507

Groups not dropped before running subprocess when using empty 'extra_groups' parameter

Severity Score

4.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.

When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

Se encontró un problema en el módulo `subproceso` de CPython 3.12.0 en plataformas POSIX. El problema se solucionó en CPython 3.12.1 y no afecta a otras versiones estables. Cuando se utiliza el parámetro `extra_groups=` con una lista vacía como valor (es decir, `extra_groups=[]`), la lógica retrocede para no llamar a `setgroups(0, NULL)` antes de llamar a `exec()`, por lo que no se descarta el grupos de procesos originales antes de iniciar el nuevo proceso. No hay ningún problema cuando no se usa el parámetro o cuando se usa cualquier valor además de una lista vacía. Este problema solo afecta los procesos de CPython que se ejecutan con privilegios suficientes para realizar la llamada al sistema "setgroups" (normalmente "root").

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-12-04 CVE Reserved
2023-12-08 CVE Published
2024-08-02 CVE Updated
2024-11-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management

CAPEC

CAPEC-122: Privilege Abuse

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b	2024-05-07
https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06	2024-05-07
https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610	2024-05-07
https://github.com/python/cpython/issues/112334	2024-05-07

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/AUL7QFHBLILGISS7U63B47AYSSGJJQZD	2024-05-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.12.0 Search vendor "Python" for product "Python" and version "3.12.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.13.0 Search vendor "Python" for product "Python" and version "3.13.0"		alpha1		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.13.0 Search vendor "Python" for product "Python" and version "3.13.0"		alpha2		Affected