Alibaba Cloud Linux 3 : 0113: sudo (ALINUX3-SA-2022:0113)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Alibaba Cloud Linux Security Advisory ALINUX3-SA-2022:0113.
##

include('compat.inc');

if (description)
{
  script_id(236710);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");

  script_cve_id(
    "CVE-2019-14287",
    "CVE-2019-18634",
    "CVE-2019-19232",
    "CVE-2021-3156",
    "CVE-2021-23239",
    "CVE-2021-23240"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/27");

  script_name(english:"Alibaba Cloud Linux 3 : 0113: sudo (ALINUX3-SA-2022:0113)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Alibaba Cloud Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced
in the ALINUX3-SA-2022:0113 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2019-14287:
    In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy
    blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user
    ID. For example, this allows bypass of !root configuration, and USER= logging, for a sudo -u
    \#$((0xffffffff)) command.

    CVE-2019-18634:
    In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer
    overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS;
    however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an
    administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

    CVE-2019-19232:
    ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can
    impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.
    NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo
    as a user not present in the local password database is an intentional feature. Because this behavior
    surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default
    being disabled. However, this does not change the fact that sudo was behaving as intended, and as
    documented, in earlier versions.

    CVE-2021-23239:
    The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary
    directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory
    by a symlink to an arbitrary path.

    CVE-2021-23240:
    selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file
    ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file
    target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.

    CVE-2021-3156:
    Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which
    allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single
    backslash character.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20220113.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:A");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14287");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2021-23240");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/06/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:sudo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:sudo-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:sudo-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:sudo-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alibabacloud:alibaba_cloud_linux_3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alibaba Cloud Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Alibaba/release", "Host/Alibaba/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Alibaba/release');
if (isnull(os_release) || 'Alibaba Cloud Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux');
var os_ver = pregmatch(pattern: "Alibaba Cloud Linux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Alibaba Cloud Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux 3.x', 'Alibaba Cloud Linux ' + os_ver);

if (!get_kb_item('Host/Alibaba/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Alibaba Cloud Linux', cpu);

var pkgs = [
    {'reference':'sudo-1.8.29-7.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-1.8.29-7.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-debuginfo-1.8.29-7.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-debuginfo-1.8.29-7.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-debugsource-1.8.29-7.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-debugsource-1.8.29-7.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-devel-1.8.29-7.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'sudo-devel-1.8.29-7.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Alibaba Linux ' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo / sudo-debuginfo / sudo-debugsource / sudo-devel');
}