The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sudo

vulnerability bulletin CVE-2017-1000377

GRSecurity/PaX: memory corruption via Stack Clash

Synthesis of the vulnerability

An attacker can generate a memory corruption via Stack Clash of Sudo on GRSecurity/PaX, in order to trigger a denial of service, and possibly to run code.
Impacted products: Sudo, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 20/06/2017.
Revision date: 20/06/2017.
Identifiers: CVE-2017-1000377, VIGILANCE-VUL-23013.

Description of the vulnerability

An attacker can generate a memory corruption via Stack Clash on GRSecurity/PaX, exploitable via Sudo, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-1000367 CVE-2017-1000368

sudo: privilege escalation via the parsing of /proc/pid/stat

Synthesis of the vulnerability

A local attacker can tamper with the parsing of /proc/[pid]/stat by sudo, in order to escalate his privileges.
Impacted products: Debian, Fedora, Junos Space, McAfee Web Gateway, openSUSE Leap, RHEL, Slackware, Sudo, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, InterScan Messaging Security Suite, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 30/05/2017.
Revision date: 15/06/2017.
Identifiers: 1117723, CERTFR-2017-AVI-238, CERTFR-2017-AVI-365, CVE-2017-1000367, CVE-2017-1000368, DLA-1011-1, DLA-970-1, DSA-3867-1, FEDORA-2017-54580efa82, FEDORA-2017-8b250ebe97, FEDORA-2017-facd994774, JSA10824, JSA10826, openSUSE-SU-2017:1455-1, openSUSE-SU-2017:1697-1, RHSA-2017:1381-01, RHSA-2017:1382-01, RHSA-2017:1574-01, SB10205, SSA:2017-150-01, SUSE-SU-2017:1446-1, SUSE-SU-2017:1450-1, SUSE-SU-2017:1626-1, SUSE-SU-2017:1627-1, SUSE-SU-2017:1778-1, Synology-SA-17:19, USN-3304-1, USN-3968-1, VIGILANCE-VUL-22865.

Description of the vulnerability

The sudo product looks for its controlling tty.

Fot that, it reads the file /proc/pid/stat. However, the parsing of this file is wrong. An attacker can tamper with the program path to make sudo write into any file with root privileges.

A local attacker can therefore tamper with the parsing of /proc/[pid]/stat by sudo, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-9680

sudo: file reading via TZ

Synthesis of the vulnerability

A local privileged attacker can set the TZ environment variable before calling sudo, in order to force the opening of a file, or a denial of service if this file is blocking.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, RHEL, Slackware, Sudo, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading, denial of service on client.
Provenance: privileged shell.
Creation date: 10/02/2015.
Identifiers: CVE-2014-9680, DSA-3167-1, FEDORA-2015-2247, FEDORA-2015-2281, MDVSA-2015:126, openSUSE-SU-2015:1913-1, openSUSE-SU-2016:2983-1, openSUSE-SU-2016:3004-1, RHSA-2015:1409-01, SSA:2015-047-03, USN-2533-1, VIGILANCE-VUL-16137.

Description of the vulnerability

The sudo program allows some users to execute commands with elevated privileges.

The sudo program filters environment variables which are potentially dangerous. However, sudo transmits the TZ variable, which can indicate the name of a Time Zone file. The target application, linked to the glibc, thus opens this file to analyze its timing information. It can be noted that the content of this file is never returned to the user.

A local privileged attacker can therefore set the TZ environment variable before calling sudo, in order to force the opening of a file, or a denial of service if this file is blocking.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-0106

sudo: privilege escalation via env_reset

Synthesis of the vulnerability

When env_reset is disabled, an attacker can use the LD_PRELOAD environment variable on the sudo command line, in order to escalate his privileges.
Impacted products: openSUSE, RHEL, Slackware, Sudo, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 06/03/2014.
Identifiers: CVE-2014-0106, openSUSE-SU-2014:0737-1, RHSA-2014:0266-01, SSA:2014-064-01, SUSE-SU-2014:0475-1, USN-2146-1, VIGILANCE-VUL-14365.

Description of the vulnerability

The sudo command can be used by the administrator to delegate some privileges to users. A user can thus be allowed to run a command with high privileges.

When the env_reset configuration directive is disabled, the env_check and env_delete directives can be used to filter dangerous environment variables. However, due to a logic error, variables on the sudo command line are not filtered.

When env_reset is disabled, an attacker can therefore use the LD_PRELOAD environment variable on the sudo command line, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-1776 CVE-2013-2776 CVE-2013-2777

Sudo: authenticating via ttyname

Synthesis of the vulnerability

A local attacker, who used Sudo during the last 5 minutes, can use Sudo on another terminal without authenticating, even if "tty_tickets" is configured.
Impacted products: Debian, Fedora, openSUSE, Solaris, RHEL, Slackware, Sudo, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 27/02/2013.
Identifiers: BID-58207, CERTA-2013-AVI-190, CERTA-2013-AVI-387, CERTFR-2014-AVI-112, CVE-2013-1776, CVE-2013-2776, CVE-2013-2777, DSA-2642-1, FEDORA-2013-3270, FEDORA-2013-3297, MDVSA-2013:026, MDVSA-2013:054, openSUSE-SU-2013:0495-1, openSUSE-SU-2013:0503-1, RHSA-2013:1353-01, RHSA-2013:1701-02, SSA:2013-065-01, VIGILANCE-VUL-12472.

Description of the vulnerability

When a user authenticates on Sudo, a file is created in the /var/db/sudo/user directory. The Sudo program then looks at the file timestamp to check whether the last user authentication is recent (less than 5 minutes), in order to not request a new authentication.

When the "tty_tickets" configuration option is set, the /var/db/sudo/user directory contains one file for each terminal/tty. So, the password has to be entered in each terminal.

However, an attacker, who is located on the terminal B, can close the stdin, stdout and stderr. He can then open the device of the terminal A, and connect them to the file descriptors 0 to 2. This operation deceives the ttyname() function, which indicates that the attacker is located on terminal A.

A local attacker, who used Sudo during the last 5 minutes, can therefore use Sudo on another terminal without authenticating, even if "tty_tickets" is configured.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-1775

Sudo: authenticating by changing time

Synthesis of the vulnerability

A local attacker, who previously used Sudo, can change the system time, in order to use Sudo without authenticating.
Impacted products: Debian, Fedora, openSUSE, Solaris, RHEL, Slackware, Sudo, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 27/02/2013.
Identifiers: BID-58203, CERTA-2013-AVI-190, CERTA-2013-AVI-387, CERTFR-2014-AVI-112, CVE-2013-1775, DSA-2642-1, FEDORA-2013-3270, FEDORA-2013-3297, MDVSA-2013:026, MDVSA-2013:054, openSUSE-SU-2013:0495-1, openSUSE-SU-2013:0503-1, RHSA-2013:1353-01, RHSA-2013:1701-02, SSA:2013-065-01, VIGILANCE-VUL-12471.

Description of the vulnerability

When a user authenticates on Sudo, a file is created in the /var/db/sudo/user directory. The Sudo program then looks at the file timestamp to check if the last user authentication is recent (less than 5 minutes), in order to not request a new authentication.

The "sudo -k" command is used to remove this memorized state. In order to do so, the file timestamp is changed to 01/01/1970. So, as there is more than 5 minutes between the file timestamp and the current time, the user has to authenticate again.

However, on some systems, a local user is allowed to alter the system time. He can then reset it to 01/01/1970. As, there is less than 5 minutes between the file timestamp and the system time, the user can thus run Sudo without entering his password.

A local attacker, who previously used Sudo, can therefore change the system time, in order to use Sudo without authenticating.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Sudo: