SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   sudo.ws
(Red Hat Issues Fix) Sudo sudoedit and 'runas_default' Flaws Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1023659
SecurityTracker URL:  http://securitytracker.com/id/1023659
CVE Reference:   CVE-2010-0426, CVE-2010-0427   (Links to External Site)
Date:  Feb 26 2010
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.7.2p4
Description:   Two vulnerabilities were reported in Sudo. A local user can obtain root privileges on the target system.

A local user with privileges in the sudoers file can invoke the sudoedit pseudo-command to potentially execute arbitrary commands on the target system with root privileges [CVE-2010-0426].

Supplementary groups are not properly initialized when the sudoers file "runas_default" option is used. A local user with privileges in the sudoers file can run commands with the root user's supplementary groups privileges [CVE-2010-0427].

Impact:   A local user can obtain root privileges on the target system.
Solution:   Red Hat has issued a fix.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2010-0122.html

Vendor URL:  www.sudo.ws/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  5

Message History:   This archive entry is a follow-up to the message listed below.
Feb 26 2010 Sudo sudoedit and 'runas_default' Flaws Let Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  [RHSA-2010:0122-01] Important: sudo security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: sudo security update
Advisory ID:       RHSA-2010:0122-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0122.html
Issue date:        2010-02-26
CVE Names:         CVE-2010-0426 CVE-2010-0427 
=====================================================================

1. Summary:

An updated sudo package that fixes two security issues is now available for
Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The sudo (superuser do) utility allows system administrators to give
certain users the ability to run commands as root.

A privilege escalation flaw was found in the way sudo handled the sudoedit
pseudo-command. If a local user were authorized by the sudoers file to use
this pseudo-command, they could possibly leverage this flaw to execute
arbitrary code with the privileges of the root user. (CVE-2010-0426)

The sudo utility did not properly initialize supplementary groups when the
"runas_default" option (in the sudoers file) was used. If a local user
were authorized by the sudoers file to perform their sudo commands under
the account specified with "runas_default", they would receive the root
user's supplementary groups instead of those of the intended target user,
giving them unintended privileges. (CVE-2010-0427)

Users of sudo should upgrade to this updated package, which contains
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

567337 - CVE-2010-0426 sudo: sudoedit option can possibly allow for arbitrary code execution
567622 - CVE-2010-0427 sudo: Fails to reset group permissions if runas_default set

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/sudo-1.6.9p17-6.el5_4.src.rpm

i386:
sudo-1.6.9p17-6.el5_4.i386.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.i386.rpm

x86_64:
sudo-1.6.9p17-6.el5_4.x86_64.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/sudo-1.6.9p17-6.el5_4.src.rpm

i386:
sudo-1.6.9p17-6.el5_4.i386.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.i386.rpm

ia64:
sudo-1.6.9p17-6.el5_4.ia64.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.ia64.rpm

ppc:
sudo-1.6.9p17-6.el5_4.ppc.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.ppc.rpm

s390x:
sudo-1.6.9p17-6.el5_4.s390x.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.s390x.rpm

x86_64:
sudo-1.6.9p17-6.el5_4.x86_64.rpm
sudo-debuginfo-1.6.9p17-6.el5_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2010-0426.html
https://www.redhat.com/security/data/cve/CVE-2010-0427.html
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFLh6uDXlSAg2UNWIIRAhhJAJ49T7Ti+KIYKerJG/GGnMZHGFVkgwCgijUM
FJatlE21Yc9aqgmpeMl/d58=
=8gCr
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC