Vulnerabilities > CVE-2017-1000367 - Race Condition vulnerability in Sudo Project Sudo

047910
CVSS 6.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
sudo-project
CWE-362
nessus
exploit available

Summary

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Exploit-Db

descriptionSudo - 'get_process_ttyname()' Privilege Escalation. CVE-2017-1000367. Local exploit for Linux platform
fileexploits/linux/local/42183.c
idEDB-ID:42183
last seen2017-06-16
modified2017-06-14
platformlinux
port
published2017-06-14
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42183/
titleSudo - 'get_process_ttyname()' Privilege Escalation
typelocal

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0021.NASL
    descriptionAn update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111870
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111870
    titlePhoton OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2/7/2019
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2017-0021. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111870);
      script_version("1.3");
      script_cvs_date("Date: 2019/04/05 23:25:07");
    
      script_cve_id(
        "CVE-2016-2776",
        "CVE-2016-3120",
        "CVE-2016-9841",
        "CVE-2016-9843",
        "CVE-2016-1000368",
        "CVE-2017-9224",
        "CVE-2017-9225",
        "CVE-2017-9227",
        "CVE-2017-9229",
        "CVE-2017-1000367",
        "CVE-2017-1000368"
      );
    
      script_name(english:"Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "This plugin has been deprecated.");
      script_set_attribute(attribute:"description", value:
    "An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has
    been released.");
      # https://github.com/vmware/photon/wiki/Security-Updates-51
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11072ed6");
      script_set_attribute(attribute:"solution", value:"n/a.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2776");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:bindutils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:ruby");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:sudo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zlib");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    pkgs = [
      "bindutils-9.10.4-2.ph1",
      "bindutils-debuginfo-9.10.4-2.ph1",
      "krb5-1.14-6.ph1",
      "krb5-debuginfo-1.14-6.ph1",
      "ruby-2.4.0-3.ph1",
      "ruby-debuginfo-2.4.0-3.ph1",
      "sudo-1.8.20p2-1.ph1",
      "sudo-debuginfo-1.8.20p2-1.ph1",
      "zlib-1.2.8-5.ph1",
      "zlib-debuginfo-1.2.8-5.ph1",
      "zlib-devel-1.2.8-5.ph1"
    ];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bindutils / krb5 / ruby / sudo / zlib");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-8B250EBE97.NASL
    description - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101680
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101680
    titleFedora 26 : sudo (2017-8b250ebe97)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-8b250ebe97.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101680);
      script_version("3.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-1000367");
      script_xref(name:"FEDORA", value:"2017-8b250ebe97");
    
      script_name(english:"Fedora 26 : sudo (2017-8b250ebe97)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - update to 1.8.20p2
    
      - added sudo package to dnf/yum protected packages
    
    ----
    
      - update to 1.8.20p1
    
      - fixes CVE-2017-1000367
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-8b250ebe97"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected sudo package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sudo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"sudo-1.8.20p2-1.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo");
    }
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-1574.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101486
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101486
    titleVirtuozzo 6 : sudo / sudo-devel (VZLSA-2017-1574)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1315.NASL
    descriptionWhen sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. (CVE-2019-14287) Further details can be found here: https://www.sudo.ws/alerts/minus_1_uid.html A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000367) It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000368)
    last seen2020-06-01
    modified2020-06-02
    plugin id129851
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129851
    titleAmazon Linux 2 : sudo (ALAS-2019-1315)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-855.NASL
    descriptionIt was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)
    last seen2020-06-01
    modified2020-06-02
    plugin id101272
    published2017-07-07
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101272
    titleAmazon Linux AMI : sudo (ALAS-2017-855)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-1382.NASL
    descriptionFrom Red Hat Security Advisory 2017:1382 : An update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100528
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100528
    titleOracle Linux 6 / 7 : sudo (ELSA-2017-1382)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1450-1.NASL
    descriptionThis update for sudo fixes the following issues: CVE-2017-1000367 : - Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361] - Fix FQDN for hostname. [bsc#1024145] - Filter netgroups, they aren
    last seen2020-06-01
    modified2020-06-02
    plugin id100543
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100543
    titleSUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1450-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170530_SUDO_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367)
    last seen2020-03-18
    modified2017-05-31
    plugin id100537
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100537
    titleScientific Linux Security Update : sudo on SL6.x, SL7.x i386/x86_64 (20170530)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1446-1.NASL
    descriptionThis update for sudo fixes the following issues: CVE-2017-1000367 : - Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361] - Fix FQDN for hostname. [bsc#1024145] - Filter netgroups, they aren
    last seen2020-06-01
    modified2020-06-02
    plugin id100542
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100542
    titleSUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1446-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1627-1.NASL
    descriptionThis update for sudo fixes the following issues : - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146) Also the following non security bug was fixed : - Link the
    last seen2020-06-01
    modified2020-06-02
    plugin id100953
    published2017-06-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100953
    titleSUSE SLES12 Security Update : sudo (SUSE-SU-2017:1627-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1449.NASL
    descriptionAccording to the versions of the sudo package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000368) - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000367) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124952
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124952
    titleEulerOS Virtualization 3.0.1.0 : sudo (EulerOS-SA-2019-1449)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1574.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)
    last seen2020-06-01
    modified2020-06-02
    plugin id101023
    published2017-06-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101023
    titleRHEL 6 / 7 : sudo (RHSA-2017:1574)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1381.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100587
    published2017-06-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100587
    titleRHEL 5 : sudo (RHSA-2017:1381)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1106.NASL
    descriptionAccording to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-06-09
    plugin id100699
    published2017-06-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100699
    titleEulerOS 2.0 SP1 : sudo (EulerOS-SA-2017-1106)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-1381.NASL
    descriptionFrom Red Hat Security Advisory 2017:1381 : An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100613
    published2017-06-05
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100613
    titleOracle Linux 5 : sudo (ELSA-2017-1381)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-744.NASL
    descriptionThis update for sudo fixes the following security issue : - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146) Also the following non security bug was fixed : - Link the
    last seen2020-06-05
    modified2017-06-30
    plugin id101137
    published2017-06-30
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101137
    titleopenSUSE Security Update : sudo (openSUSE-2017-744)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3304-1.NASL
    descriptionIt was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100549
    published2017-05-31
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100549
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : sudo vulnerability (USN-3304-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1382.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100534
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100534
    titleRHEL 6 / 7 : sudo (RHSA-2017:1382)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0125.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix (CVE-2017-1000368) - Fix (CVE-2017-1000367)
    last seen2020-06-01
    modified2020-06-02
    plugin id102063
    published2017-07-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102063
    titleOracleVM 3.2 : sudo (OVMSA-2017-0125)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1121.NASL
    descriptionAccording to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-07-10
    plugin id101309
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101309
    titleEulerOS 2.0 SP2 : sudo (EulerOS-SA-2017-1121)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-1574.NASL
    descriptionFrom Red Hat Security Advisory 2017:1574 : An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)
    last seen2020-06-01
    modified2020-06-02
    plugin id101022
    published2017-06-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101022
    titleOracle Linux 6 / 7 : sudo (ELSA-2017-1574)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-150-01.NASL
    descriptionNew sudo packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100512
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100512
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : sudo (SSA:2017-150-01)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201705-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201705-15 (sudo: Privilege escalation) Qualys discovered a vulnerability in sudo&rsquo;s get_process_ttyname() for Linux, that via sudo_ttyname_scan() can be directed to use a user-controlled, arbitrary tty device during its traversal of &ldquo;/dev&rdquo; by utilizing the world-writable /dev/shm. For further information, please see the Qualys Security Advisory Impact : A local attacker can pretend that his tty is any character device on the filesystem, and after two race conditions, an attacker can pretend that the controlled tty is any file on the filesystem allowing for privilege escalation Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id100523
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100523
    titleGLSA-201705-15 : sudo: Privilege escalation
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-636.NASL
    descriptionThis update for sudo fixes the following issues : CVE-2017-1000367 : - Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361] - Fix FQDN for hostname. [bsc#1024145] - Filter netgroups, they aren
    last seen2020-06-05
    modified2017-05-31
    plugin id100524
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100524
    titleopenSUSE Security Update : sudo (openSUSE-2017-636)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-1574.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)
    last seen2020-06-01
    modified2020-06-02
    plugin id101005
    published2017-06-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101005
    titleCentOS 6 / 7 : sudo (CESA-2017:1574)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-843.NASL
    descriptionA flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367)
    last seen2020-06-01
    modified2020-06-02
    plugin id100644
    published2017-06-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100644
    titleAmazon Linux AMI : sudo (ALAS-2017-843)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-54580EFA82.NASL
    description - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-05
    plugin id100605
    published2017-06-05
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100605
    titleFedora 25 : sudo (2017-54580efa82)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-970.NASL
    descriptionThe Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse
    last seen2020-03-17
    modified2017-05-31
    plugin id100519
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100519
    titleDebian DLA-970-1 : sudo security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3867.NASL
    descriptionThe Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse
    last seen2020-06-01
    modified2020-06-02
    plugin id100521
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100521
    titleDebian DSA-3867-1 : sudo - security update
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0110.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fixes (CVE-2017-1000367) Resolves: rhbz#1455399 - Update noexec syscall blacklist - Fixes (CVE-2016-7032, CVE-2016-7076) Resolves: rhbz#1391938 - RHEL-6.9 erratum - Fix race condition when creating /var/log/sudo-io direcotry Resolves: rhbz#1365156
    last seen2020-06-01
    modified2020-06-02
    plugin id100530
    published2017-05-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100530
    titleOracleVM 3.3 / 3.4 : sudo (OVMSA-2017-0110)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1120.NASL
    descriptionAccording to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-07-10
    plugin id101308
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101308
    titleEulerOS 2.0 SP1 : sudo (EulerOS-SA-2017-1120)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1011.NASL
    descriptionTodd Miller
    last seen2020-03-17
    modified2017-07-05
    plugin id101210
    published2017-07-05
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101210
    titleDebian DLA-1011-1 : sudo security update
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-1382.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id100558
    published2017-06-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100558
    titleCentOS 6 / 7 : sudo (CESA-2017:1382)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1626-1.NASL
    descriptionThis update for sudo fixes the following security issue : - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146) Also the following non security bug was fixed : - Link the
    last seen2020-06-01
    modified2020-06-02
    plugin id100952
    published2017-06-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100952
    titleSUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1626-1)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0102_SUDO.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has sudo packages installed that are affected by a vulnerability: - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127331
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127331
    titleNewStart CGSL MAIN 4.05 : sudo Vulnerability (NS-SA-2019-0102)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0021_SUDO.NASL
    descriptionAn update of the sudo package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121703
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121703
    titlePhoton OS 1.0: Sudo PHSA-2017-0021
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1107.NASL
    descriptionAccording to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-06-09
    plugin id100700
    published2017-06-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100700
    titleEulerOS 2.0 SP2 : sudo (EulerOS-SA-2017-1107)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA_10826.NASL
    descriptionAccording to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id104100
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104100
    titleJuniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-1382.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101478
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101478
    titleVirtuozzo 6 : sudo / sudo-devel (VZLSA-2017-1382)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170623_SUDO_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)
    last seen2020-03-18
    modified2017-06-26
    plugin id101041
    published2017-06-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101041
    titleScientific Linux Security Update : sudo on SL6.x, SL7.x i386/x86_64 (20170623)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0097_SUDO.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has sudo packages installed that are affected by a vulnerability: - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127322
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127322
    titleNewStart CGSL MAIN 4.05 : sudo Vulnerability (NS-SA-2019-0097)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-FACD994774.NASL
    description - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-09
    plugin id100705
    published2017-06-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100705
    titleFedora 24 : sudo (2017-facd994774)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/142783/QSA-20170601-2.txt
idPACKETSTORM:142783
last seen2017-06-03
published2017-06-02
reporterqualys.com
sourcehttps://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.html
titleSudo get_process_ttyname() Race Condition

Redhat

advisories
  • bugzilla
    id1453074
    titleCVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • commentsudo is earlier than 0:1.7.2p1-30.el5_11
        ovaloval:com.redhat.rhsa:tst:20171381001
      • commentsudo is signed with Red Hat redhatrelease key
        ovaloval:com.redhat.rhsa:tst:20090267002
    rhsa
    idRHSA-2017:1381
    released2017-05-30
    severityImportant
    titleRHSA-2017:1381: sudo security update (Important)
  • bugzilla
    id1453074
    titleCVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentsudo-devel is earlier than 0:1.8.6p3-28.el6_9
            ovaloval:com.redhat.rhsa:tst:20171382001
          • commentsudo-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363002
        • AND
          • commentsudo is earlier than 0:1.8.6p3-28.el6_9
            ovaloval:com.redhat.rhsa:tst:20171382003
          • commentsudo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363004
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentsudo-devel is earlier than 0:1.8.6p7-22.el7_3
            ovaloval:com.redhat.rhsa:tst:20171382006
          • commentsudo-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363002
        • AND
          • commentsudo is earlier than 0:1.8.6p7-22.el7_3
            ovaloval:com.redhat.rhsa:tst:20171382007
          • commentsudo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363004
    rhsa
    idRHSA-2017:1382
    released2017-05-30
    severityImportant
    titleRHSA-2017:1382: sudo security update (Important)
rpms
  • sudo-0:1.7.2p1-30.el5_11
  • sudo-debuginfo-0:1.7.2p1-30.el5_11
  • sudo-0:1.8.6p3-28.el6_9
  • sudo-0:1.8.6p7-22.el7_3
  • sudo-debuginfo-0:1.8.6p3-28.el6_9
  • sudo-debuginfo-0:1.8.6p7-22.el7_3
  • sudo-devel-0:1.8.6p3-28.el6_9
  • sudo-devel-0:1.8.6p7-22.el7_3

Seebug

bulletinFamilyexploit
description======================================================================== Contents ======================================================================== Analysis Exploitation Example Acknowledgments ======================================================================== Analysis ======================================================================== We discovered a vulnerability in Sudo's get_process_ttyname() for Linux: this function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367). For example, if we execute Sudo through the symlink "./ 1 ", get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number "1" in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number "1" in a breadth-first traversal of "/dev". Last, we exploit this function during its traversal of the world-writable "/dev/shm": through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and after two race conditions, he can pretend that his tty is any file on the filesystem. On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges. ======================================================================== Exploitation ======================================================================== To exploit this vulnerability, we: - create a directory "/dev/shm/_tmp" (to work around /proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty" to a non-existent pty "/dev/pts/57", whose device number is 34873; - run Sudo through a symlink "/dev/shm/_tmp/ 34873 " that spoofs the device number of this non-existent pty; - set the flag CD_RBAC_ENABLED through the command-line option "-r role" (where "role" can be our current role, for example "unconfined_r"); - monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event) and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot find our non-existent pty in "/dev/pts/"); - SIGSTOP Sudo, call openpty() until it creates our non-existent pty, and SIGCONT Sudo; - monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify event) and wait until Sudo closedir()s it; - SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our now-existent pty with a symlink to the file that we want to overwrite (for example "/etc/passwd"), and SIGCONT Sudo; - control the output of the command executed by Sudo (the output that overwrites "/etc/passwd"): . either through a command-specific method; . or through a general method such as "--\nHELLO\nWORLD\n" (by default, getopt() prints an error message to stderr if it does not recognize an option character). To reliably win the two SIGSTOP races, we preempt the Sudo process: we setpriority() it to the lowest priority, sched_setscheduler() it to SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit. ======================================================================== Example ======================================================================== We will publish our Sudoer-to-root exploit (Linux_sudo_CVE-2017-1000367.c) in the near future: [[email protected] ~]$ head -n 8 /etc/passwd ``` root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt ``` ` [[email protected] ~]$ sudo -l ``` [sudo] password for john: ... User john may run the following commands on localhost: (ALL) /usr/bin/sum ``` [[email protected] ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $'--\nHELLO\nWORLD\n' `[sudo] password for john:` [[email protected] ~]$ head -n 8 /etc/passwd ``` /usr/bin/sum: unrecognized option '-- HELLO WORLD ' Try '/usr/bin/sum --help' for more information. ogin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ``` ======================================================================== Acknowledgments ======================================================================== We thank Todd C. Miller for his great work and quick response, and the members of the distros list for their help with the disclosure of this vulnerability.
idSSV:93165
last seen2017-11-19
modified2017-05-31
published2017-05-31
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-93165
titleCVE-2017-1000367 in Sudo's get_process_ttyname() for Linux

The Hacker News

idTHN:2E3849E605A5C7990158F1BD04789BB7
last seen2018-01-27
modified2017-06-01
published2017-05-31
reporterMohit Kumar
sourcehttps://thehackernews.com/2017/05/linux-sudo-root-hack.html
titleHigh-Severity Linux Sudo Flaw Allows Users to Gain Root Privileges

References