Redstarp2704AACC9-EDFF-4DA5-90A6-4ADF8DBF36FEPrivilege Escalation admin user to root user
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:M/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
33.7%
Description
“admin” user has sudo rights and can gain root access.
By default sudo installation “admin” group has root rights. “admin” user created by hestia installation and this user is also in “admin” group.
if the attackers access “admin” user, can gain root access.
Proof of Concept
root@server:/home/t# sudo -u admin sudo -l
Matching Defaults entries for admin on server:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep=VESTA, env_keep+=HESTIA, !syslog, !requiretty
User admin may run the following commands on server:
(ALL) ALL
(root) NOPASSWD: /usr/local/vesta/bin/*
(root) NOPASSWD: /usr/local/hestia/bin/*
admin user can run any commands as root with (ALL) ALL permission.
Fix
Change %admin ALL=(ALL) ALL to # %admin ALL=(ALL) ALL in “/etc/sudoers” file with visudo.
Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:M/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
33.7%