CVE-2023-28339: 
Linux Debian vulnerability analysis and mitigation

OpenDoas through version 6.8.2 contains a privilege escalation vulnerability (CVE-2023-28339) when TIOCSTI is available, allowing attackers to escalate privileges by sharing a terminal with the original session. The vulnerability was discovered in March 2023. It affects OpenDoas installations on systems where TIOCSTI is enabled, notably on Linux systems prior to kernel 6.2. It's worth noting that TIOCSTI is unavailable in OpenBSD 6.0 and later, making those systems immune to this vulnerability (NVD, Debian Tracker).

The vulnerability has a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from the ability to use the TIOCSTI ioctl to inject characters into a terminal's input buffer when sharing a terminal session. This vulnerability exists because OpenDoas does not create a separate pseudo-terminal for privileged sessions, unlike other similar tools that implement the --pty argument for better security (NVD, GitHub Issue).

When exploited, this vulnerability allows attackers to execute arbitrary commands with elevated privileges by injecting characters into the terminal's input buffer. This can lead to complete system compromise through privilege escalation, particularly in environments where TIOCSTI is available (GitHub Issue).

The primary mitigation is to upgrade to Linux kernel 6.2 or later where TIOCSTI can be disabled. For systems that cannot be upgraded, administrators can disable TIOCSTI functionality through kernel configuration (CONFIGLEGACYTIOCSTI). OpenBSD users are not affected as TIOCSTI is unavailable in OpenBSD 6.0 and later (NVD).