sudo -- Potential bypass of Runas user restrictions

Todd C. Miller reports: When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run...

Amazon Linux 2 : sudo (ALAS-2019-1315)

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if...

Slackware 14.0 / 14.1 / 14.2 / current : sudo (SSA:2019-287-01)

New sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Slackware Security Advisory 2019-287-01. The text itself is copyright C Slackware Linux...

Amazon Linux AMI : sudo (ALAS-2019-1309)

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if...

openSUSE Security Update : sudo (openSUSE-2019-2316)

This update for sudo fixes the following issue : - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers bsc1153674. This update was imported from the...

Ubuntu: Security Advisory (USN-4154-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DSA-4543-1 : sudo - security update

Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or...

SUSE SLED15 / SLES15 Security Update : sudo (SUSE-SU-2019:2656-1)

This update for sudo fixes the following issue : CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers bsc1153674. Note that Tenable Network Security has...

Debian: Security Advisory (DSA-4543-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 16.04 LTS / 18.04 LTS : Sudo vulnerability (USN-4154-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4154-1 advisory. Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the...

sudo security update

1.8.25-4.0.1.el8.1 - Treat an ID of -1 as invalid since that means 'no change' Orabug: 30421281 CVE-2019-14287 - Add sudostrtoid tests for -1 and range errors. Orabug: 30421281...

[slackware-security] sudo

New sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/sudo-1.8.28-i586-1slack14.2.txz: Upgraded. Fixed a bug where an sudo user may be able to run a command as root when the...

CVE-2019-14287

A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction. Mitigation This vulnerability only affects...

[SECURITY] [DSA 4543-1] sudo security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 14, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4543-1] sudo security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 14, 2019 https://www.debian.org/security/faq -...

Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

Attention Linux Users! A new vulnerability has been discovered in Sudo —one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass iss...

Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

Attention Linux Users! A new vulnerability has been discovered in Sudo—one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass issu...

SUSE-SU-2019:2656-1 Security update for sudo

This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers bsc1153674...

CVE-2019-14287

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "su...

UBUNTU-CVE-2019-14287

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "su...