Title: Debian OpenSSH SELinux Privilege Escalation Vulnerability
Severity: CRITICAL
Description:
Debian Linux can be configured to use SELinux extensions. OpenSSH may also be configured to use SELinux and to interface with the role-based privilege system.
Debian Linux is prone to an SELinux privilege-escalation vulnerability due to a flaw in its OpenSSH package.
Specifically, when remote users authenticate against a vulnerable OpenSSH server, their username can contain extra information, including the SELinux role they wish to use upon a successful login. Usernames containing a trailing ':/<role>' will be parsed as the user requesting the '<role>' SELinux role; the system will improperly grant the role privileges to the user. This reportedly occurs without proper validation or privilege checking.
Successfully exploiting this issue allows attackers who can successfully authenticate against affected OpenSSH servers to gain access to any configured SELinux role. This may allow them elevated privileges, facilitating the complete compromise of affected computers.
Note that OpenSSH must be configured with '--with-selinux' for this vulnerability to be exposed.
Information regarding specific affected packages of OpenSSH running on Debian Linux is not available. Other derivative versions and operating systems may also be affected.
Affected Products:
- Debian Linux 4.0
- Debian Linux 4.0 alpha
- Debian Linux 4.0 amd64
- Debian Linux 4.0 arm
- Debian Linux 4.0 hppa
- Debian Linux 4.0 ia-32
- Debian Linux 4.0 ia-64
- Debian Linux 4.0 m68k
- Debian Linux 4.0 mips
- Debian Linux 4.0 mipsel
- Debian Linux 4.0 powerpc
- Debian Linux 4.0 s/390
- Debian Linux 4.0 sparc
References:
- Debian: Debian Homepage