Lucene search

Gentoo FoundationGLSA-201406-30

HistoryJun 27, 2014 - 12:00 a.m.

sudo: Privilege escalation

2014-06-2700:00:00

Gentoo Foundation

security.gentoo.org

6.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:S/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.3%

JSON

Background

sudo allows a system administrator to give users the ability to run commands as other users. Access to commands may also be granted on a range to hosts.

Description

When the Sudo env_reset option is disabled (it is enabled by default), certain environment variables are not blacklisted as expected.

Impact

A local attacker, authorized to run commands using sudo, can use this flaw to execute arbitrary code or escalate his privileges.

Workaround

There is no known workaround at this time.

Resolution

All sudo users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.8.5"

OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-admin/sudo< 1.8.5UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	app-admin/sudo	< 1.8.5	UNKNOWN

6.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:S/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

5.3%

JSON

Related for GLSA-201406-30