CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
40.7%
selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local
unprivileged user to gain file ownership and escalate privileges by
replacing a temporary file with a symlink to an arbitrary file target. This
affects SELinux RBAC support in permissive mode. Machines without SELinux
are not vulnerable.
Author | Note |
---|---|
sbeattie | selinux is not the default MAC in Ubuntu, though users can boot into it. |
rodrigo-zaiden | fs.protected_symlinks is ‘1’ by default in Ubuntu, and if not changed, can prevent this issue from being exploited. There are backports available for version 1.8 but not straightforward for 1.8.16 (xenial baseline). Some of the selinux specific code that needs to be patched was added later in time and it seems to me that the backports for 1.8 are based on 1.8.32. So, in xenial, a fix would be very intrusive and likely to introduce a regression. The reproducer in sudo.ws reference does not reproduce in xenial. The fact that the reproducer does not reproduce, that the kernel hardening fs.protected_symlinks is ‘1’ by default (with no clear reason to be turned off to ‘0’), that there is a very low possibility to have Ubuntu running selinux without a working policy and, mainly, that the risky of regression is high, we are marking this CVE as ignored for xenial. |
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
40.7%