SELinux Systems Vulnerable to sudo Vulnerability
This is the classic example of “when protectors turn predators.” SELinux is a Linux kernel security module that provides a very strict mechanism for supporting access control security policies. But there are chinks in this armor.
A newly discovered security hole in Linux makes SELinux protected systems vulnerable to attacks. Qualys, a cloud-based security and compliance solutions company, discovered a vulnerability in sudo's get_process_ttyname() for Linux.
“On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c ) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2() s it to the command's stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges,” according to a Qualys Security Advisory.
For those who are unfamiliar with sudo: it allows other users on the system to run commands with root privileges.
The vulnerability exists in sudo 1.7.10 through 1.7.10p9, inclusive, and sudo 1.8.5 through 1.8.20p1, inclusive. A fix has been released in sudo 1.8.20p2.
If you are alarmed about more vulnerabilities being found in Linux, don’t be. As Linus Torvalds rightly said, bugs are part of the software development process. What’s more important is that the open source development model offers transparency into bug discovery and bug fixing. You are not dependent on a single vendor to fix it, as is the case with proprietary technologies.
Since the fix is already out, please update and patch your servers immediately.