Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-SUDO-RHEL5.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 5 : sudo (Unpatched Vulnerability)

2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
2
rhel 5
sudo
unpatched
vulnerabilities
wordexp
selinux
symbolic link attack
information disclosure
impersonate user
directory-existence tests

7.3 High

AI Score

Confidence

Low

0.008 Low

EPSS

Percentile

81.2%

JSON

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • sudo: noexec bypass via wordexp() (CVE-2016-7076)

  • sudo: symbolic link attack in SELinux-enabled sudoedit (CVE-2021-23240)

  • sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function. (CVE-2016-7032)

  • sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo. (CVE-2016-7091)

  • In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled.
    However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions (CVE-2019-19232)

  • In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user–the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are only accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the shell of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash (CVE-2019-19234)

  • The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. (CVE-2021-23239)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory sudo. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195537);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-7032",
    "CVE-2016-7076",
    "CVE-2016-7091",
    "CVE-2019-19232",
    "CVE-2019-19234",
    "CVE-2021-23239",
    "CVE-2021-23240"
  );
  script_xref(name:"IAVA", value:"2021-A-0053");

  script_name(english:"RHEL 5 : sudo (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - sudo: noexec bypass via wordexp() (CVE-2016-7076)

  - sudo: symbolic link attack in SELinux-enabled sudoedit (CVE-2021-23240)

  - sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command
    restrictions via an application that calls the (1) system or (2) popen function. (CVE-2016-7032)

  - sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other
    Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local
    user with sudo access to a restricted program that uses readline could use this flaw to read content from
    specially formatted files with elevated privileges provided by sudo. (CVE-2016-7091)

  - In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a
    nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The
    software maintainer believes that this is not a vulnerability because running a command via sudo as a user
    not present in the local password database is an intentional feature. Because this behavior surprised some
    users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled.
    However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier
    versions (CVE-2019-19232)

  - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the
    shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas
    ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE
    is not valid. Disabling local password authentication for a user is not the same as disabling all access
    to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux
    shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts
    that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an
    optional setting to check the _shell_ of the target user (not the encrypted password!) against the
    contents of /etc/shells but that is not the same thing as preventing access to users with an invalid
    password hash (CVE-2019-19234)

  - The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary
    directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory
    by a symlink to an arbitrary path. (CVE-2021-23239)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-7076");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-23240");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-readline43");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-readline5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:readline");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sudo");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'compat-readline43', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'compat-readline43', 'cves':['CVE-2016-7091']},
      {'reference':'readline', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'readline', 'cves':['CVE-2016-7091']},
      {'reference':'sudo', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'sudo'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'compat-readline43 / readline / sudo');
}
VendorProductVersionCPE
redhatenterprise_linux5cpe:/o:redhat:enterprise_linux:5
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linuxcompat-readline43p-cpe:/a:redhat:enterprise_linux:compat-readline43
redhatenterprise_linuxcompat-readline5p-cpe:/a:redhat:enterprise_linux:compat-readline5
redhatenterprise_linuxreadlinep-cpe:/a:redhat:enterprise_linux:readline
redhatenterprise_linuxsudop-cpe:/a:redhat:enterprise_linux:sudo

Related

nessus 71
altlinux 1
osv 5
ibm 3
ubuntu 1
openvas 47
debian 1
oraclelinux 3
ubuntucve 5
amazon 1
redhat 4
centos 2
slackware 1
rosalinux 1
mageia 3
almalinux 1
rocky 1
fedora 7
suse 2
f5 1
gentoo 1
prion 6
cve 5
cvelist 5
debiancve 5
veracode 2
redhatcve 5
nvd 5
freebsd 1
photon 2
alpinelinux 1
nessus
nessus
RHEL 5 : sudo (Unpatched Vulnerability)
2024-06-03 00:00:00
RHEL 7 : sudo (Unpatched Vulnerability)
2024-05-11 00:00:00
RHEL 6 : sudo (Unpatched Vulnerability)
2024-05-11 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package sudo version 1:1.9.2-alt1
2020-08-30 00:00:00
osv
osv
sudo vulnerabilities
2020-09-28 12:54:26
sudo - security update
2016-11-14 00:00:00
Low: sudo security and bug fix update
2021-05-18 05:55:11
ibm
ibm
Security Bulletin: Vulnerabilities in sudo affect PowerKVM
2018-06-18 01:34:46
Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in sudo.
2019-01-31 02:25:02
Security Bulletin: A vulnerability in sudo affects PowerKVM (CVE-2016-7091)
2018-06-18 01:34:14
ubuntu
ubuntu
Sudo vulnerabilities
2020-09-28 00:00:00
openvas
openvas
CentOS Update for sudo CESA-2016:2872 centos6
2016-12-08 00:00:00
CentOS Update for sudo CESA-2016:2872 centos7
2017-06-23 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:2891-1)
2021-06-09 00:00:00
debian
debian
[SECURITY] [DLA 707-1] sudo security update
2016-11-14 19:56:05
oraclelinux
oraclelinux
sudo security update
2016-12-06 00:00:00
sudo security and bug fix update
2021-05-25 00:00:00
sudo security, bug fix, and enhancement update
2016-11-09 00:00:00
ubuntucve
ubuntucve
CVE-2016-7076
2018-05-29 00:00:00
CVE-2019-19234
2019-12-19 00:00:00
CVE-2019-19232
2019-12-19 00:00:00
amazon
amazon
Medium: sudo
2017-01-04 17:00:00
redhat
redhat
(RHSA-2016:2872) Moderate: sudo security update
2016-12-06 09:43:08
(RHSA-2020:1804) Moderate: sudo security, bug fix, and enhancement update
2020-04-28 09:18:31
(RHSA-2021:1723) Low: sudo security and bug fix update
2021-05-18 05:55:11
centos
centos
sudo security update
2016-12-07 03:43:16
sudo security update
2016-11-25 15:48:47
slackware
slackware
[slackware-security] sudo
2021-01-11 20:06:01
rosalinux
rosalinux
Advisory ROSA-SA-2021-1980
2021-07-02 18:12:00
mageia
mageia
Updated sudo packages fix security vulnerabilities
2021-01-17 19:07:01
Updated sudo packages fix security vulnerability
2020-06-11 01:26:12
Updated sudo packages fix security vulnerability
2016-11-18 02:40:52
almalinux
almalinux
Low: sudo security and bug fix update
2021-05-18 05:55:11
rocky
rocky
sudo security and bug fix update
2021-05-18 05:55:11
fedora
fedora
[SECURITY] Fedora 32 Update: sudo-1.9.5p1-1.fc32
2021-01-21 01:19:17
[SECURITY] Fedora 33 Update: sudo-1.9.5p1-1.fc33
2021-01-20 01:33:31
[SECURITY] Fedora 31 Update: sudo-1.9.0-0.1.b1.fc31
2020-03-06 02:26:46
suse
suse
Security update for sudo (important)
2021-01-27 00:00:00
Security update for sudo (important)
2021-01-27 00:00:00
f5
f5
K49229034 : Sudo vulnerabilities CVE-2014-9680, CVE-2016-7032, CVE-2016-7076, and CVE-2016-7077
2017-06-26 00:00:00
gentoo
gentoo
sudo: Multiple vulnerabilities
2021-01-26 00:00:00
prion
prion
Design/Logic Flaw
2019-12-19 21:15:00
Authentication flaw
2019-12-19 21:15:00
Design/Logic Flaw
2018-05-29 13:29:00
cve
cve
CVE-2019-19234
2019-12-19 21:15:13
CVE-2016-7091
2016-12-22 21:59:00
CVE-2019-19232
2019-12-19 21:15:13
cvelist
cvelist
CVE-2019-19234
2019-12-19 20:35:02
CVE-2019-19232
2019-12-19 20:37:09
CVE-2016-7076
2018-05-29 13:00:00
debiancve
debiancve
CVE-2019-19234
2019-12-19 21:15:13
CVE-2016-7032
2017-04-14 18:59:00
CVE-2016-7076
2018-05-29 13:29:00
veracode
veracode
Privilege Escalation
2019-05-02 06:07:50
Authorization Bypass
2019-01-15 09:14:59
redhatcve
redhatcve
CVE-2016-7032
2016-10-27 19:47:40
CVE-2019-19234
2019-12-27 12:08:50
CVE-2016-7091
2016-08-26 00:48:46
nvd
nvd
CVE-2019-19234
2019-12-19 21:15:13
CVE-2016-7091
2016-12-22 21:59:00
CVE-2019-19232
2019-12-19 21:15:13
freebsd
freebsd
sudo -- Potential bypass of sudo_noexec.so via wordexp()
2016-10-28 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2020-0051
2020-01-23 00:00:00
Important Photon OS Security Update - PHSA-2020-3.0-0051
2020-01-23 00:00:00
alpinelinux
alpinelinux
CVE-2021-23239
2021-01-12 09:15:14

7.3 High

AI Score

Confidence

Low

0.008 Low

EPSS

Percentile

81.2%

JSON
Related for REDHAT_UNPATCHED-SUDO-RHEL5.NASL
nessus71altlinux1osv5ibm3ubuntu1openvas47debian1oraclelinux3ubuntucve5amazon1redhat4centos2slackware1rosalinux1mageia3almalinux1rocky1fedora7suse2f51gentoo1prion6cve5cvelist5debiancve5veracode2redhatcve5nvd5freebsd1photon2alpinelinux1