CVE-2023-43116: 
vulnerability analysis and mitigation

A symbolic link following vulnerability was discovered in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5. The vulnerability allows the buildkite-agent user to change ownership of arbitrary directories via the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script. The issue was discovered and reported by Nick Nam of Atredis Partners (Atredis Advisory).

The vulnerability exists in the fix-buildkite-agent-builds-permissions script which is intended to recursively fix ownership for files and directories under /var/lib/buildkite-agent/builds. The script can be executed using sudo by the buildkite-agent user through a sudoers.conf entry. Since all directories beneath /var/lib/buildkite-agent/builds are writeable by the buildkite-agent user by default, an attacker can create a symbolic link pointing to /usr/bin/ in a subdirectory and execute the script to change ownership of itself to buildkite-agent:buildkite-agent. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

After changing ownership of fix-buildkite-agent-builds-permissions, it can be modified to run sudo -i to execute an interactive root shell, effectively allowing local privilege escalation. This gives an attacker complete access to the affected system with root privileges (Atredis Advisory).

Users should upgrade to version 6.7.1 or 5.22.5 which addresses these vulnerabilities. Alternatively, customers should consider deploying a pre-bootstrap hook to prevent execution of fix-buildkite-agent-builds-permissions during a build (Atredis Advisory).