Lucene search

K
archlinuxArchLinuxASA-201910-9
HistoryOct 16, 2019 - 12:00 a.m.

[ASA-201910-9] sudo: privilege escalation

2019-10-1600:00:00
security.archlinux.org
44

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.308 Low

EPSS

Percentile

96.9%

Arch Linux Security Advisory ASA-201910-9

Severity: High
Date : 2019-10-16
CVE-ID : CVE-2019-14287
Package : sudo
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-1047

Summary

The package sudo before version 1.8.28-1 is vulnerable to privilege
escalation.

Resolution

Upgrade to 1.8.28-1.

pacman -Syu “sudo>=1.8.28-1”

The problem has been fixed upstream in version 1.8.28.

Workaround

This vulnerability only affects configurations of sudo that have a
runas user list that includes an exclusion of root. The most simple
example is:

someuser ALL=(ALL, !root) /usr/bin/somecommand

The exclusion is specified using an excalamation mark (!). In this
example, the “root” user is specified by name. The root user may also
be identified in other ways, such as by user id:

someuser ALL=(ALL, !#0) /usr/bin/somecommand

or by reference to a runas alias:

Runas_Alias MYGROUP = root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand

To ensure your sudoers configuration is not affected by this
vulnerability, we recommend examining each sudoers entry that includes
the ! character in the runas specification, to ensure that the root
user is not among the exclusions. These can be found in the
/etc/sudoers file or files under /etc/sudoers.d.

Description

A flaw was found in the way sudo prior to 1.8.28 implemented running
commands with arbitrary user ID. If a sudoers entry is written to allow
the attacker to run a command as any user except root, this flaw can be
used by the attacker to bypass that restriction.

Impact

A local attacker is able to gain root privileges when sudo is
configured to have a runas user list that includes an exclusion of
root.

References

https://www.sudo.ws/alerts/minus_1_uid.html
https://www.sudo.ws/repos/sudo/rev/83db8dba09e7
https://security.archlinux.org/CVE-2019-14287

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanysudo< 1.8.28-1UNKNOWN

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.308 Low

EPSS

Percentile

96.9%