==================================================================== CERT-Renater Note d'Information No. 2019/VULN315 _____________________________________________________________________ DATE : 15/10/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Sudo versions prior to 1.8.28. ===================================================================== https://www.sudo.ws/alerts/minus_1_uid.html https://usn.ubuntu.com/4154-1/ http://www.debian.org/security/2019/dsa-4543 https://www.suse.com/support/update/announcement/2019/suse-su-20192656-1.html _____________________________________________________________________ Potential bypass of Runas user restrictions Release Date: October 14, 2019 Summary: When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command. Sudo versions affected: Sudo versions prior to 1.8.28 are affected. CVE ID: This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database. Details: Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier. Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier. myhost alice = (ALL) /usr/bin/id Not only is user is able to run the id command as any valid user, she is also able to run it as an arbitrary user ID by using the #uid syntax, for example: sudo -u#1234 id -u would return 1234. However, the setresuid(2) and setreuid(2) system calls, which sudo uses to change the user ID before running the command, treat user ID -1 (or its unsigned equivalent 4294967295), specially and do not change the user ID for this value. As a result, sudo -u#-1 id -u or sudo -u#4294967295 id -u will actually return 0. This is because the sudo command itself is already running as user ID 0 so when sudo tries to change to user ID -1, no change occurs. This results in sudo log entries that report the command as being run by user ID 4294967295 and not root (or user ID 0). Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run. If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry: myhost bob = (ALL, !root) /usr/bin/vi User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy. Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected: myhost alice = /usr/bin/id In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied. Fix: The bug is fixed in sudo 1.8.28. Credit: Joe Vennix from Apple Information Security found and analyzed the bug. _____________________________________________________________________ USN-4154-1: Sudo vulnerability 14 October 2019 sudo vulnerability A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 19.04 o Ubuntu 18.04 LTS o Ubuntu 16.04 LTS o Ubuntu 14.04 ESM o Ubuntu 12.04 ESM Summary Sudo could be made to run commands as root if it called with a specially crafted user ID. Software Description o sudo - Provide limited super user privileges to specific users Details Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the root user. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04 sudo - 1.8.27-1ubuntu1.1 sudo-ldap - 1.8.27-1ubuntu1.1 Ubuntu 18.04 LTS sudo - 1.8.21p2-3ubuntu1.1 sudo-ldap - 1.8.21p2-3ubuntu1.1 Ubuntu 16.04 LTS sudo - 1.8.16-0ubuntu1.8 sudo-ldap - 1.8.16-0ubuntu1.8 Ubuntu 14.04 ESM sudo - 1.8.9p5-1ubuntu1.5+esm2 sudo-ldap - 1.8.9p5-1ubuntu1.5+esm2 Ubuntu 12.04 ESM sudo - 1.8.3p1-1ubuntu3.8 sudo-ldap - 1.8.3p1-1ubuntu3.8 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades . In general, a standard system update will make all the necessary changes. References o CVE-2019-14287 _____________________________________________________________________ ------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 14, 2019 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : sudo CVE ID : CVE-2019-14287 Debian Bug : 942322 Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID - - -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access. Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html . For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u1. We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org _____________________________________________________________________ SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2656-1 Rating: important References: #1153674 Cross-References: CVE-2019-14287 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sudo fixes the following issue: o CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2656=1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2656=1 o SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2656=1 o SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2656=1 Package List: o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): sudo-debuginfo-1.8.22-4.6.1 sudo-debugsource-1.8.22-4.6.1 sudo-test-1.8.22-4.6.1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): sudo-debuginfo-1.8.22-4.6.1 sudo-debugsource-1.8.22-4.6.1 sudo-test-1.8.22-4.6.1 o SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): sudo-1.8.22-4.6.1 sudo-debuginfo-1.8.22-4.6.1 sudo-debugsource-1.8.22-4.6.1 sudo-devel-1.8.22-4.6.1 o SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): sudo-1.8.22-4.6.1 sudo-debuginfo-1.8.22-4.6.1 sudo-debugsource-1.8.22-4.6.1 sudo-devel-1.8.22-4.6.1 References: o https://www.suse.com/security/cve/CVE-2019-14287.html o https://bugzilla.suse.com/1153674 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================