{
  "threat_severity" : "Moderate",
  "public_date" : "2021-01-11T00:00:00Z",
  "bugzilla" : {
    "description" : "sudo: symbolic link attack in SELinux-enabled sudoedit",
    "id" : "1915053",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1915053"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-367->CWE-59",
  "details" : [ "selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.", "A race condition vulnerability was found in the temporary file handling of sudoedit's SELinux RBAC support. On systems where SELinux is enabled, this flaw allows a malicious user with sudoedit permissions to set the owner of an arbitrary file to the user ID of the target user, potentially leading to local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability." ],
  "statement" : "SELinux enforcing mode is the default and recommended mode of operation in Red Hat Enterprise Linux. Moreover, the symbolic link protection is enabled by default, thus preventing this issue from being exploited. Therefore, this flaw has been rated as having a security impact of Low for Red Hat Enterprise Linux.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-05-18T00:00:00Z",
    "advisory" : "RHSA-2021:1723",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "sudo-0:1.8.29-7.el8",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "sudo",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "sudo",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "sudo",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "sudo",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23240\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23240\nhttps://www.sudo.ws/alerts/sudoedit_selinux.html" ],
  "name" : "CVE-2021-23240",
  "mitigation" : {
    "value" : "* Enable SELinux in enforcing mode.\n* Enable the symbolic link protection (/proc/sys/fs/protected_symlinks set to 1).\n* Remove the `sesh` binary (/usr/libexec/sudo/sesh or /usr/lib/sudo/sesh) if SELinux RBAC support is not needed.",
    "lang" : "en:us"
  },
  "csaw" : false
}