CVE-2023-26604: 
NixOS vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2023-26604) was discovered in systemd versions before 247. The vulnerability exists because systemd does not set LESSSECURE to 1 when executing the 'systemctl status' command through sudo, allowing other programs to be launched from the less program when running as root. This presents a security risk particularly when the terminal size is too small to show complete systemctl output (Debian LTS, NVD).

The vulnerability occurs when systemd fails to check the effective user ID (eUID) and user ID (UID) in version 245 and earlier. When systemctl status output is larger than the terminal size, it uses the 'less' pager program to display the content. Since LESSSECURE is not set to 1, users can execute commands through less's shell escape feature (!sh) while running with root privileges. This vulnerability is particularly concerning when systemctl status commands are allowed through sudo configurations (Medium Blog).

Successful exploitation of this vulnerability could lead to local privilege escalation, allowing an attacker to execute commands with root privileges. This can result in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Security).

The vulnerability has been fixed in systemd version 247 and later, which adds safeguards to prevent command execution if the eUID differs from the UID. The fix includes setting LESSSECURE=1 when sudo execution is detected, disabling the ability to invoke external programs from the pager. This behavior can be overridden using the SYSTEMD_PAGERSECURE environment variable (Medium Blog).