CVE-2022-3560: 
Rocky Linux vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2022-3560) was discovered in the pesign package, which provides utilities for signing UEFI binaries. The vulnerability was discovered on October 11, 2022, and publicly disclosed on January 31, 2023. The issue affects the pesign systemd service in various versions of Red Hat Enterprise Linux and other Linux distributions (Red Hat Advisory, OSS Security).

The vulnerability exists in the pesign systemd service's StartPost script (/usr/libexec/pesign/pesign-authorize) which runs with root privileges. The script grants recursive full access to /etc/pki/pesign*/ and /run/pesign directories via POSIX access control lists to users and groups listed in /etc/pesign/users and /etc/pesign/groups. The script does not implement proper safeguards against symlink attacks, allowing a compromised unprivileged user account to exploit this weakness (OSS Security).

When successfully exploited, this vulnerability allows an unprivileged user with access to the pesign user or group to gain elevated privileges and access to higher privileged files and directories. The vulnerability can be triggered during every start of the pesign.service unit (Red Hat Advisory, OSS Security).

Red Hat has released security updates to address this vulnerability across multiple versions of Red Hat Enterprise Linux. Users are advised to update their pesign packages to the latest versions available through their respective distribution's update channels (Red Hat Advisory).