A high-severity vulnerability has been reported in Linux that could be exploited by a low privilege attacker to gain full root access on an affected system.
The vulnerability, identified as CVE-2017-1000367, was discovered by researchers at Qualys Security in Sudo's "getprocess_ttyname()" function for Linux that could allow a user with Sudo privileges to run commands as root or elevate privileges to root._
Basically, SELinux helps contain programs in linux. For example, Program X should never have access to file "kjsalghjisgb". So if that program makes an attempt to read or modify that file, selinux stops it.
So If i'm reading this correctly, a user with sudo privledges can elevate a command to root? Isn't that counter intuitive if the user has already been given sudo privledges??
Or with this vuln, a command run as root, it would not show that his or her account invoked the command?
I mean yeah if anyone is able to run root other than as intended, it should be patched immediately, but I'm not seeing how this is devastating. Maybe I just haven't had my morning Monster™ yet.
The flaw actually resides in the way Sudo parsed "tty" information from the process status file in the proc filesystem.
On Linux machines, sudo parses the /proc/[pid]/stat file in order to determine the device number of the process's tty from field 7 (ttynr), Qualys Security explains in its advisory.
Although the fields in the file are space-delimited, it is possible for field 2 (the command name) to include whitespace (including newline), which sudo doesn't account for.
Therefore, a local user with sudo privileges (Sudoer) on SELinux-enabled systems can cause sudo to use a device number of his choice "by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number," escalating their privileges to overwrite any file on the filesystem, including root-owned files.
Didn't dig into this, but I don't think it affects systems with dedicated selinux users, since selinux doesn't care about uids, and doesn't care if a process is running as root: the process can only access what it's separately given permission to. MAC > DAC. So my wild guess is that this affects unconfined processes only. Hat off to Samsung that all their android phones seperate each app with MCS.