ID FEDORA:B0ACC6077DFD Type fedora Reporter Fedora Modified 2015-11-08T06:54:18
Description
Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines.
{"id": "FEDORA:B0ACC6077DFD", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 23 Update: sudo-1.8.15-1.fc23", "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "published": "2015-11-08T06:54:18", "modified": "2015-11-08T06:54:18", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2015-5602"], "lastseen": "2020-12-21T08:17:53", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-5602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806592", "OPENVAS:703440", "OPENVAS:1361412562310131126", "OPENVAS:1361412562310703440"]}, {"type": "zdt", "idList": ["1337DAY-ID-23943"]}, {"type": "exploitdb", "idList": ["EDB-ID:37710"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3440.NASL", "FEDORA_2015-6A267387C0.NASL", "DEBIAN_DLA-382.NASL", "FEDORA_2015-386863DF8A.NASL", "GENTOO_GLSA-201606-13.NASL", "FREEBSD_PKG_2E8CDD36C3CC11E5B5FE002590263BF5.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3440-1:A4BCC", "DEBIAN:DLA-382-1:9CF72"]}, {"type": "gentoo", "idList": ["GLSA-201606-13"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C870A4381531CEEA5471F8EF1086D774"]}, {"type": "seebug", "idList": ["SSV:89279"]}, {"type": "freebsd", "idList": ["2E8CDD36-C3CC-11E5-B5FE-002590263BF5"]}, {"type": "fedora", "idList": ["FEDORA:C66CE60876AA"]}], "modified": "2020-12-21T08:17:53", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-12-21T08:17:53", "rev": 2}, "vulnersScore": 5.2}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "23", "arch": "any", "packageName": "sudo", "packageVersion": "1.8.15", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"cve": [{"lastseen": "2020-12-09T20:03:06", "description": "sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by \"/home/*/*/file.txt.\"", "edition": 5, "cvss3": {}, "published": "2015-11-17T15:59:00", "title": "CVE-2015-5602", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5602"], "modified": "2016-12-07T18:17:00", "cpe": ["cpe:/a:sudo_project:sudo:1.8.14"], "id": "CVE-2015-5602", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5602", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sudo_project:sudo:1.8.14:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:36:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "description": "Mageia Linux Local Security Checks mgasa-2015-0443", "modified": "2018-09-28T00:00:00", "published": "2015-11-11T00:00:00", "id": "OPENVAS:1361412562310131126", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131126", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0443", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0443.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131126\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-11 09:58:15 +0200 (Wed, 11 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0443\");\n script_tag(name:\"insight\", value:\"An unauthorized privilege escalation was found in sudoedit in sudo before 1.8.15 when a user is granted with root access to modify a particular file that could be located in a subset of directories. It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow), which results in unauthorized access (CVE-2015-5602). The sudo package has been updated to version 1.8.15, which fixes this issue, and also includes many other bug fixes and changes. See the upstream change log for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0443.html\");\n script_cve_id(\"CVE-2015-5602\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0443\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.15~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:54:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "description": "When sudo is configured to allow a user to\nedit files under a directory that they can already write to without using sudo, they\ncan actually edit (read and write) arbitrary files. Daniel Svartman reported that a\nconfiguration like this might be introduced unintentionally if the\neditable files are specified using wildcards, for example:\n\noperator ALL=(root) sudoedit /home/*/*/test.txt \nThe default behaviour of sudo has been changed so that it does not allow\nediting of a file in a directory that the user can write to, or that is\nreached by following a symlink in a directory that the user can write\nto. These restrictions can be disabled, but this is strongly\ndiscouraged.", "modified": "2017-07-07T00:00:00", "published": "2016-01-11T00:00:00", "id": "OPENVAS:703440", "href": "http://plugins.openvas.org/nasl.php?oid=703440", "type": "openvas", "title": "Debian Security Advisory DSA 3440-1 (sudo - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3440.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3440-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703440);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2015-5602\");\n script_name(\"Debian Security Advisory DSA 3440-1 (sudo - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-01-11 00:00:00 +0100 (Mon, 11 Jan 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3440.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"sudo on Debian Linux\");\n script_tag(name: \"insight\", value: \"Sudo is a program designed to allow a\nsysadmin to give limited root privileges to users and log root activity. The basic\nphilosophy is to give as few privileges as possible but still allow people to get\ntheir work done.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 1.8.5p2-1+nmu3+deb7u1.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.8.10p3-1+deb8u3.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.8.15-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.15-1.1.\n\nWe recommend that you upgrade your sudo packages.\");\n script_tag(name: \"summary\", value: \"When sudo is configured to allow a user to\nedit files under a directory that they can already write to without using sudo, they\ncan actually edit (read and write) arbitrary files. Daniel Svartman reported that a\nconfiguration like this might be introduced unintentionally if the\neditable files are specified using wildcards, for example:\n\noperator ALL=(root) sudoedit /home/*/*/test.txt \nThe default behaviour of sudo has been changed so that it does not allow\nediting of a file in a directory that the user can write to, or that is\nreached by following a symlink in a directory that the user can write\nto. These restrictions can be disabled, but this is strongly\ndiscouraged.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version\nusing the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.10p3-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.10p3-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.5p2-1+nmu3+deb7u1\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.5p2-1+nmu3+deb7u1\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.15-1.1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.15-1.1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "description": "When sudo is configured to allow a user to\nedit files under a directory that they can already write to without using sudo, they\ncan actually edit (read and write) arbitrary files. Daniel Svartman reported that a\nconfiguration like this might be introduced unintentionally if the\neditable files are specified using wildcards, for example:\n\noperator ALL=(root) sudoedit /home/*/*/test.txt\nThe default behaviour of sudo has been changed so that it does not allow\nediting of a file in a directory that the user can write to, or that is\nreached by following a symlink in a directory that the user can write\nto. These restrictions can be disabled, but this is strongly\ndiscouraged.", "modified": "2019-03-18T00:00:00", "published": "2016-01-11T00:00:00", "id": "OPENVAS:1361412562310703440", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703440", "type": "openvas", "title": "Debian Security Advisory DSA 3440-1 (sudo - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3440.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3440-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703440\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2015-5602\");\n script_name(\"Debian Security Advisory DSA 3440-1 (sudo - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-11 00:00:00 +0100 (Mon, 11 Jan 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3440.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|7|9)\");\n script_tag(name:\"affected\", value:\"sudo on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 1.8.5p2-1+nmu3+deb7u1.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.8.10p3-1+deb8u3.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.8.15-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.15-1.1.\n\nWe recommend that you upgrade your sudo packages.\");\n script_tag(name:\"summary\", value:\"When sudo is configured to allow a user to\nedit files under a directory that they can already write to without using sudo, they\ncan actually edit (read and write) arbitrary files. Daniel Svartman reported that a\nconfiguration like this might be introduced unintentionally if the\neditable files are specified using wildcards, for example:\n\noperator ALL=(root) sudoedit /home/*/*/test.txt\nThe default behaviour of sudo has been changed so that it does not allow\nediting of a file in a directory that the user can write to, or that is\nreached by following a symlink in a directory that the user can write\nto. These restrictions can be disabled, but this is strongly\ndiscouraged.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version\nusing the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.10p3-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.10p3-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.5p2-1+nmu3+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.5p2-1+nmu3+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.15-1.1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.15-1.1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-11-09T00:00:00", "id": "OPENVAS:1361412562310806592", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806592", "type": "openvas", "title": "Fedora Update for sudo FEDORA-2015-6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for sudo FEDORA-2015-6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806592\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-09 06:08:48 +0100 (Mon, 09 Nov 2015)\");\n script_cve_id(\"CVE-2015-5602\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for sudo FEDORA-2015-6\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sudo'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"sudo on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171054.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.15~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:52", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5602"], "description": "\nMITRE reports:\n\nsudoedit in Sudo before 1.8.15 allows local users to gain\n\t privileges via a symlink attack on a file whose full path is defined\n\t using multiple wildcards in /etc/sudoers, as demonstrated by\n\t \"/home/*/*/file.txt.\"\n\n", "edition": 4, "modified": "2015-11-17T00:00:00", "published": "2015-11-17T00:00:00", "id": "2E8CDD36-C3CC-11E5-B5FE-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/2e8cdd36-c3cc-11e5-b5fe-002590263bf5.html", "title": "sudo -- potential privilege escalation via symlink misconfiguration", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5602"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2015-11-08T09:50:38", "published": "2015-11-08T09:50:38", "id": "FEDORA:C66CE60876AA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: sudo-1.8.15-1.fc22", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:29:59", "description": "<p># Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation</p><p># Date: 07-23-2015</p><p># Exploit Author: Daniel Svartman</p><p># Version: Sudo <=1.8.14</p><p># Tested on: RHEL 5/6/7 and Ubuntu (all versions)</p><p># CVE: CVE-2015-5602.</p><p> </p><p>Hello,</p><p> </p><p>I found a security bug in sudo (checked in the latest versions of sudo</p><p>running on RHEL and ubuntu) when a user is granted with root access to</p><p>modify a particular file that could be located in a subset of directories.</p><p> </p><p>It seems that sudoedit does not check the full path if a wildcard is used</p><p>twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the</p><p>file.txt real file with a symbolic link to a different location (e.g.</p><p>/etc/shadow).</p><p> </p><p>I was able to perform such redirect and retrieve the data from the</p><p>/etc/shadow file.</p><p> </p><p>I checked this against fixed directories and files (not using a wildcard)</p><p>and it does work with symbolic links created under the /home folder.</p>\r\n<p>\r\nIn order for you to replicate this, you should configure the following line\r\n<p>\r\nin your /etc/sudoers file:\r\n</p><p>\r\n \r\n\r\n<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt\r\n</p><p>\r\n \r\n\r\nThen, logged as that user, create a subdirectory within its home folder\r\n</p><p>\r\n(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link\r\n\r\ninside the new folder named test.txt pointing to /etc/shadow.\r\n</p><p>\r\n \r\n\r\nWhen you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will\r\n</p><p>\r\nbe allowed to access the /etc/shadow even if have not been granted with\r\n</p><p>\r\nsuch access in the sudoers file.</p>", "published": "2015-09-01T00:00:00", "type": "seebug", "title": "Sudo <= 1.8.14 - Unauthorized Privilege", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5602"], "modified": "2015-09-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89279", "id": "SSV:89279", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:38", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5602"], "edition": 1, "description": "### Background\n\nsudo (su \u201cdo\u201d) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. \n\n### Description\n\nsudoedit in sudo is vulnerable to the escalation of privileges by local users via a symlink attack. This can be exploited by a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by \u201c/home/_/_/file.txt. \n\n### Impact\n\nLocal users are able to gain unauthorized privileges on the system.\n\n### Workaround\n\nThere is no known work around at this time.\n\n### Resolution\n\nAll sudo users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/sudo-1.8.15-r1\"", "modified": "2016-06-26T00:00:00", "published": "2016-06-26T00:00:00", "id": "GLSA-201606-13", "href": "https://security.gentoo.org/glsa/201606-13", "type": "gentoo", "title": "sudo: Unauthorized privilege escalation in sudoedit", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-11-11T13:11:21", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5602"], "description": "Package\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: sudo\nVersion\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: 1.7.4p4-2.squeeze.6\nCVE ID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: CVE-2015-5602\nDebian Bug\u00a0\u00a0\u00a0\u00a0\u00a0: 804149\n\nWhen sudo is configured to allow a user to edit files under a\ndirectory that they can already write to without using sudo, they can\nactually edit (read and write) arbitrary files.\u00a0\u00a0Daniel Svartman\nreported that a configuration like this might be introduced\nunintentionally if the editable files are specified using wildcards,\nfor example:\n\n\u00a0\u00a0\u00a0\u00a0operator ALL=(root) sudoedit /home/*/*/test.txt\n\nThe default behaviour of sudo has been changed so that it does not\nallow editing of a file in a directory that the user can write to, or\nthat is reached by following a symlink in a directory that the user\ncan write to.\u00a0\u00a0These restrictions can be disabled, but this is\nstrongly discouraged.\n\nFor the oldoldstable distribution (squeeze), this has been fixed in\nversion 1.7.4p4-2.squeeze.6.\n\nFor the oldstable distribution (wheezy) and the stable distribution\n(jessie), this will be fixed soon.\n\n-- \nBen Hutchings - Debian developer, member of Linux kernel and LTS teams\n\n\n", "edition": 7, "modified": "2016-01-11T01:55:39", "published": "2016-01-11T01:55:39", "id": "DEBIAN:DLA-382-1:9CF72", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201601/msg00005.html", "title": "[SECURITY] [DLA 382-1] sudo security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:01:35", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5602"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3440-1 security@debian.org\nhttps://www.debian.org/security/ Ben Hutchings\nJanuary 11, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : sudo\nCVE ID : CVE-2015-5602\nDebian Bug : 804149\n\nWhen sudo is configured to allow a user to edit files under a directory\nthat they can already write to without using sudo, they can actually\nedit (read and write) arbitrary files. Daniel Svartman reported that a\nconfiguration like this might be introduced unintentionally if the\neditable files are specified using wildcards, for example:\n\n operator ALL=(root) sudoedit /home/*/*/test.txt\n\nThe default behaviour of sudo has been changed so that it does not allow\nediting of a file in a directory that the user can write to, or that is\nreached by following a symlink in a directory that the user can write\nto. These restrictions can be disabled, but this is strongly\ndiscouraged.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.8.5p2-1+nmu3+deb7u1.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.8.10p3-1+deb8u3.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.8.15-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.15-1.1.\n\nWe recommend that you upgrade your sudo packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2016-01-11T13:44:04", "published": "2016-01-11T13:44:04", "id": "DEBIAN:DSA-3440-1:A4BCC", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00009.html", "title": "[SECURITY] [DSA 3440-1] sudo security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-08T21:01:29", "edition": 2, "description": "Exploit for linux platform in category local exploits", "published": "2015-07-30T00:00:00", "type": "zdt", "title": "Sudo 1.8.14 - Unauthorized Privilege Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5602"], "modified": "2015-07-30T00:00:00", "id": "1337DAY-ID-23943", "href": "https://0day.today/exploit/description/23943", "sourceData": "# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation\r\n# Date: 07-23-2015\r\n# Exploit Author: Daniel Svartman\r\n# Version: Sudo <=1.8.14\r\n# Tested on: RHEL 5/6/7 and Ubuntu (all versions)\r\n# CVE: CVE-2015-5602.\r\n \r\nHello,\r\n \r\nI found a security bug in sudo (checked in the latest versions of sudo\r\nrunning on RHEL and ubuntu) when a user is granted with root access to\r\nmodify a particular file that could be located in a subset of directories.\r\n \r\nIt seems that sudoedit does not check the full path if a wildcard is used\r\ntwice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the\r\nfile.txt real file with a symbolic link to a different location (e.g.\r\n/etc/shadow).\r\n \r\nI was able to perform such redirect and retrieve the data from the\r\n/etc/shadow file.\r\n \r\nIn order for you to replicate this, you should configure the following line\r\nin your /etc/sudoers file:\r\n \r\n<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt\r\n \r\nThen, logged as that user, create a subdirectory within its home folder\r\n(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link\r\ninside the new folder named test.txt pointing to /etc/shadow.\r\n \r\nWhen you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will\r\nbe allowed to access the /etc/shadow even if have not been granted with\r\nsuch access in the sudoers file.\r\n \r\nI checked this against fixed directories and files (not using a wildcard)\r\nand it does work with symbolic links created under the /home folder.\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23943"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSudo 1.8.14 (RHEL 567 Ubuntu) - Sudoedit Unauthorized Privilege Escalation", "edition": 1, "published": "2015-07-28T00:00:00", "title": "Sudo 1.8.14 (RHEL 567 Ubuntu) - Sudoedit Unauthorized Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5602"], "modified": "2015-07-28T00:00:00", "id": "EXPLOITPACK:C870A4381531CEEA5471F8EF1086D774", "href": "", "sourceData": "# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation\n# Date: 07-23-2015\n# Exploit Author: Daniel Svartman\n# Version: Sudo <=1.8.14\n# Tested on: RHEL 5/6/7 and Ubuntu (all versions)\n# CVE: CVE-2015-5602.\n\nHello,\n\nI found a security bug in sudo (checked in the latest versions of sudo\nrunning on RHEL and ubuntu) when a user is granted with root access to\nmodify a particular file that could be located in a subset of directories.\n\nIt seems that sudoedit does not check the full path if a wildcard is used\ntwice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the\nfile.txt real file with a symbolic link to a different location (e.g.\n/etc/shadow).\n\nI was able to perform such redirect and retrieve the data from the\n/etc/shadow file.\n\nIn order for you to replicate this, you should configure the following line\nin your /etc/sudoers file:\n\n<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt\n\nThen, logged as that user, create a subdirectory within its home folder\n(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link\ninside the new folder named test.txt pointing to /etc/shadow.\n\nWhen you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will\nbe allowed to access the /etc/shadow even if have not been granted with\nsuch access in the sudoers file.\n\nI checked this against fixed directories and files (not using a wildcard)\nand it does work with symbolic links created under the /home folder.", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-04T06:25:21", "description": "Sudo <= 1.8.14 - Unauthorized Privilege. CVE-2015-5602. Local exploit for linux platform", "published": "2015-07-28T00:00:00", "type": "exploitdb", "title": "Sudo <= 1.8.14 - Unauthorized Privilege", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5602"], "modified": "2015-07-28T00:00:00", "id": "EDB-ID:37710", "href": "https://www.exploit-db.com/exploits/37710/", "sourceData": "# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation\r\n# Date: 07-23-2015\r\n# Exploit Author: Daniel Svartman\r\n# Version: Sudo <=1.8.14\r\n# Tested on: RHEL 5/6/7 and Ubuntu (all versions)\r\n# CVE: CVE-2015-5602.\r\n\r\nHello,\r\n\r\nI found a security bug in sudo (checked in the latest versions of sudo\r\nrunning on RHEL and ubuntu) when a user is granted with root access to\r\nmodify a particular file that could be located in a subset of directories.\r\n\r\nIt seems that sudoedit does not check the full path if a wildcard is used\r\ntwice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the\r\nfile.txt real file with a symbolic link to a different location (e.g.\r\n/etc/shadow).\r\n\r\nI was able to perform such redirect and retrieve the data from the\r\n/etc/shadow file.\r\n\r\nIn order for you to replicate this, you should configure the following line\r\nin your /etc/sudoers file:\r\n\r\n<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt\r\n\r\nThen, logged as that user, create a subdirectory within its home folder\r\n(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link\r\ninside the new folder named test.txt pointing to /etc/shadow.\r\n\r\nWhen you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will\r\nbe allowed to access the /etc/shadow even if have not been granted with\r\nsuch access in the sudoers file.\r\n\r\nI checked this against fixed directories and files (not using a wildcard)\r\nand it does work with symbolic links created under the /home folder.", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37710/"}], "nessus": [{"lastseen": "2021-01-12T09:49:21", "description": "When sudo is configured to allow a user to edit files under a\ndirectory that they can already write to without using sudo, they can\nactually edit (read and write) arbitrary files. Daniel Svartman\nreported that a configuration like this might be introduced\nunintentionally if the editable files are specified using wildcards,\nfor example :\n\noperator ALL=(root) sudoedit /home/*/*/test.txt\n\nThe default behaviour of sudo has been changed so that it does not\nallow editing of a file in a directory that the user can write to, or\nthat is reached by following a symlink in a directory that the user\ncan write to. These restrictions can be disabled, but this is strongly\ndiscouraged.", "edition": 22, "published": "2016-01-12T00:00:00", "title": "Debian DSA-3440-1 : sudo - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "modified": "2016-01-12T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:sudo"], "id": "DEBIAN_DSA-3440.NASL", "href": "https://www.tenable.com/plugins/nessus/87852", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3440. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87852);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-5602\");\n script_xref(name:\"DSA\", value:\"3440\");\n\n script_name(english:\"Debian DSA-3440-1 : sudo - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"When sudo is configured to allow a user to edit files under a\ndirectory that they can already write to without using sudo, they can\nactually edit (read and write) arbitrary files. Daniel Svartman\nreported that a configuration like this might be introduced\nunintentionally if the editable files are specified using wildcards,\nfor example :\n\noperator ALL=(root) sudoedit /home/*/*/test.txt\n\nThe default behaviour of sudo has been changed so that it does not\nallow editing of a file in a directory that the user can write to, or\nthat is reached by following a symlink in a directory that the user\ncan write to. These restrictions can be disabled, but this is strongly\ndiscouraged.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/sudo\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/sudo\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3440\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the sudo packages.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.8.5p2-1+nmu3+deb7u1.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.8.10p3-1+deb8u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"sudo\", reference:\"1.8.5p2-1+nmu3+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"sudo-ldap\", reference:\"1.8.5p2-1+nmu3+deb7u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"sudo\", reference:\"1.8.10p3-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"sudo-ldap\", reference:\"1.8.10p3-1+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:43:42", "description": "When sudo is configured to allow a user to edit files under a\ndirectory that they can already write to without using sudo, they can\nactually edit (read and write) arbitrary files. Daniel Svartman\nreported that a configuration like this might be introduced\nunintentionally if the editable files are specified using wildcards,\nfor example :\n\noperator ALL=(root) sudoedit /home/*/*/test.txt\n\nThe default behaviour of sudo has been changed so that it does not\nallow editing of a file in a directory that the user can write to, or\nthat is reached by following a symlink in a directory that the user\ncan write to. These restrictions can be disabled, but this is strongly\ndiscouraged.\n\nFor the oldoldstable distribution (squeeze), this has been fixed in\nversion 1.7.4p4-2.squeeze.6.\n\nFor the oldstable distribution (wheezy) and the stable distribution\n(jessie), this will be fixed soon.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 14, "published": "2016-01-11T00:00:00", "title": "Debian DLA-382-1 : sudo security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "modified": "2016-01-11T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:sudo-ldap", "p-cpe:/a:debian:debian_linux:sudo"], "id": "DEBIAN_DLA-382.NASL", "href": "https://www.tenable.com/plugins/nessus/87826", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-382-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87826);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-5602\");\n\n script_name(english:\"Debian DLA-382-1 : sudo security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"When sudo is configured to allow a user to edit files under a\ndirectory that they can already write to without using sudo, they can\nactually edit (read and write) arbitrary files. Daniel Svartman\nreported that a configuration like this might be introduced\nunintentionally if the editable files are specified using wildcards,\nfor example :\n\noperator ALL=(root) sudoedit /home/*/*/test.txt\n\nThe default behaviour of sudo has been changed so that it does not\nallow editing of a file in a directory that the user can write to, or\nthat is reached by following a symlink in a directory that the user\ncan write to. These restrictions can be disabled, but this is strongly\ndiscouraged.\n\nFor the oldoldstable distribution (squeeze), this has been fixed in\nversion 1.7.4p4-2.squeeze.6.\n\nFor the oldstable distribution (wheezy) and the stable distribution\n(jessie), this will be fixed soon.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/01/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/sudo\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected sudo, and sudo-ldap packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sudo-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"sudo\", reference:\"1.7.4p4-2.squeeze.6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"sudo-ldap\", reference:\"1.7.4p4-2.squeeze.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:48:33", "description": "MITRE reports :\n\nsudoedit in Sudo before 1.8.15 allows local users to gain privileges\nvia a symlink attack on a file whose full path is defined using\nmultiple wildcards in /etc/sudoers, as demonstrated by\n'/home/*/*/file.txt.'", "edition": 26, "published": "2016-01-26T00:00:00", "title": "FreeBSD : sudo -- potential privilege escalation via symlink misconfiguration (2e8cdd36-c3cc-11e5-b5fe-002590263bf5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "modified": "2016-01-26T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:sudo", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_2E8CDD36C3CC11E5B5FE002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/88149", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88149);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-5602\");\n script_xref(name:\"EDB-ID\", value:\"37710\");\n\n script_name(english:\"FreeBSD : sudo -- potential privilege escalation via symlink misconfiguration (2e8cdd36-c3cc-11e5-b5fe-002590263bf5)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"MITRE reports :\n\nsudoedit in Sudo before 1.8.15 allows local users to gain privileges\nvia a symlink attack on a file whose full path is defined using\nmultiple wildcards in /etc/sudoers, as demonstrated by\n'/home/*/*/file.txt.'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206590\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.sudo.ws/show_bug.cgi?id=707\"\n );\n # http://www.sudo.ws/stable.html#1.8.15\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.sudo.ws/stable.html#1.8.15\"\n );\n # https://vuxml.freebsd.org/freebsd/2e8cdd36-c3cc-11e5-b5fe-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f977ad12\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"sudo<1.8.15\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:13:31", "description": "sudo-1.8.15-1.fc21 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc22 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc23 - update to 1.8.15 - fixes CVE-2015-5602\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "published": "2016-03-04T00:00:00", "title": "Fedora 23 : sudo-1.8.15-1.fc23 (2015-386863df8a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "modified": "2016-03-04T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:sudo", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2015-386863DF8A.NASL", "href": "https://www.tenable.com/plugins/nessus/89210", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-386863df8a.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89210);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-5602\");\n script_xref(name:\"FEDORA\", value:\"2015-386863df8a\");\n\n script_name(english:\"Fedora 23 : sudo-1.8.15-1.fc23 (2015-386863df8a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"sudo-1.8.15-1.fc21 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc22 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc23 - update to 1.8.15 - fixes CVE-2015-5602\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1277426\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b1137429\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"sudo-1.8.15-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:13:45", "description": "sudo-1.8.15-1.fc21 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc22 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc23 - update to 1.8.15 - fixes CVE-2015-5602\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "published": "2016-03-04T00:00:00", "title": "Fedora 22 : sudo-1.8.15-1.fc22 (2015-6a267387c0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "modified": "2016-03-04T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:sudo", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-6A267387C0.NASL", "href": "https://www.tenable.com/plugins/nessus/89266", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-6a267387c0.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89266);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-5602\");\n script_xref(name:\"FEDORA\", value:\"2015-6a267387c0\");\n\n script_name(english:\"Fedora 22 : sudo-1.8.15-1.fc22 (2015-6a267387c0)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"sudo-1.8.15-1.fc21 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc22 - update to 1.8.15 - fixes CVE-2015-5602\nsudo-1.8.15-1.fc23 - update to 1.8.15 - fixes CVE-2015-5602\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1277426\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171054.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0e067bdd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"sudo-1.8.15-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:05:10", "description": "The remote host is affected by the vulnerability described in GLSA-201606-13\n(sudo: Unauthorized privilege escalation in sudoedit)\n\n sudoedit in sudo is vulnerable to the escalation of privileges by local\n users via a symlink attack. This can be exploited by a file whose full\n path is defined using multiple wildcards in “/etc/sudoers”, as\n demonstrated by “/home/*/*/file.txt”.\n \nImpact :\n\n Local users are able to gain unauthorized privileges on the system.\n \nWorkaround :\n\n There is no known work around at this time.", "edition": 24, "published": "2016-06-27T00:00:00", "title": "GLSA-201606-13 : sudo: Unauthorized privilege escalation in sudoedit", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5602"], "modified": "2016-06-27T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:sudo"], "id": "GENTOO_GLSA-201606-13.NASL", "href": "https://www.tenable.com/plugins/nessus/91844", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201606-13.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91844);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-5602\");\n script_xref(name:\"GLSA\", value:\"201606-13\");\n\n script_name(english:\"GLSA-201606-13 : sudo: Unauthorized privilege escalation in sudoedit\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201606-13\n(sudo: Unauthorized privilege escalation in sudoedit)\n\n sudoedit in sudo is vulnerable to the escalation of privileges by local\n users via a symlink attack. This can be exploited by a file whose full\n path is defined using multiple wildcards in “/etc/sudoers”, as\n demonstrated by “/home/*/*/file.txt”.\n \nImpact :\n\n Local users are able to gain unauthorized privileges on the system.\n \nWorkaround :\n\n There is no known work around at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201606-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All sudo users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-admin/sudo-1.8.15-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-admin/sudo\", unaffected:make_list(\"ge 1.8.15-r1\"), vulnerable:make_list(\"lt 1.8.15-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
