CVE-2022-4415: 
NixOS vulnerability analysis and mitigation

A vulnerability was found in systemd (CVE-2022-4415) that could cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. The issue was discovered in December 2022 and affects systemd versions 246 and newer when built with libacl support (Openwall Mail, Debian Tracker).

The vulnerability stems from systemd-coredump setting the sysctl fs.suid_dumpable to 2 by default via a sysctl.d drop-in configuration file. While this setting should ensure core dumps from privileged processes are only accessible to root users, systemd-coredump's implementation does not respect this kernel setting. Instead, it grants read access to the core dump via an ACL entry to the real user ID of the dumping process. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability allows regular users to access memory contents of privileged processes they create, potentially leading to the exposure of sensitive information. A specific example includes the ability to obtain the root user's password hash from /etc/shadow when exploiting the vulnerability through the 'su' command (Openwall Mail).

A patch has been released by systemd upstream to address this vulnerability. As a workaround without patching, administrators can revert the sysctl setting of fs.suid_dumpable back to 0, which prevents the kernel from invoking systemd-coredump for privileged programs (Openwall Mail, GitHub Commit).