Vulnerabilities > CVE-2019-18634 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
sudo-project
debian
CWE-787
nessus
exploit available

Summary

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:47995
last seen2020-02-04
modified2020-02-04
published2020-02-04
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/47995
titleSudo 1.8.25p - Buffer Overflow

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-8B563BC5F4.NASL
    description - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages Resolves: rhbz#1787823 - Stack based buffer overflow in when pwfeedback is enabled Resolves: rhbz#1796945 - fixes: CVE-2019-18634 - By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account Resolves: rhbz#1786709 - fixes CVE-2019-19234 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix Resolves: rhbz#1773148 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-03-06
    plugin id134253
    published2020-03-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134253
    titleFedora 31 : sudo (2020-8b563bc5f4)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0726.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2020-03-06
    plugin id134271
    published2020-03-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134271
    titleRHEL 6 : sudo (RHSA-2020:0726)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4614.NASL
    descriptionJoe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the
    last seen2020-06-01
    modified2020-06-02
    plugin id133417
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133417
    titleDebian DSA-4614-1 : sudo - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0540.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2020-02-19
    plugin id133783
    published2020-02-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133783
    titleRHEL 7 : sudo (RHSA-2020:0540)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0408-1.NASL
    descriptionThis update for sudo fixes the following issues : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-02-20
    plugin id133832
    published2020-02-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133832
    titleSUSE SLED15 / SLES15 Security Update : sudo (SUSE-SU-2020:0408-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0406-1.NASL
    descriptionThis update for sudo fixes the following issues : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-02-20
    plugin id133830
    published2020-02-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133830
    titleSUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2020:0406-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200218_SUDO_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634)
    last seen2020-03-18
    modified2020-02-19
    plugin id133789
    published2020-02-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133789
    titleScientific Linux Security Update : sudo on SL7.x x86_64 (20200218)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-0726.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-17
    modified2020-03-11
    plugin id134385
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134385
    titleCentOS 6 : sudo (CESA-2020:0726)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0409-1.NASL
    descriptionThis update for sudo fixes the following issues : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-02-20
    plugin id133833
    published2020-02-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133833
    titleSUSE SLES12 Security Update : sudo (SUSE-SU-2020:0409-1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2020-031-01.NASL
    descriptionNew sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id133437
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133437
    titleSlackware 14.0 / 14.1 / 14.2 / current : sudo (SSA:2020-031-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0390-1.NASL
    descriptionThis update for sudo fixes the following issue : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-02-19
    plugin id133790
    published2020-02-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133790
    titleSUSE SLES12 Security Update : sudo (SUSE-SU-2020:0390-1)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_HT210919.NASL
    descriptionThe remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.3, 10.13.x prior to 10.13.6, 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities: - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. (CVE-2019-11043) - An arbitrary code exution vulnerability exists due to a misconfiguration. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host. (CVE-2019-18634) - An arbitrary code exution vulnerability exists due to the ability to process a maliciously crafted image. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the remote host. (CVE-2020-3826 CVE-2020-3827 CVE-2020-3870 CVE-2020-3878) - A privilege escalation vulnerability exists in due to an out-of-bounds read issue. An unauthenticated, remote attacker can exploit this, to gain elevated access to the system. (CVE-2020-3829) - An arbitrary file write vulnerability exists in the handling of symlinks. A malicious program crafted by an attacker can exploit this to overwrite arbitrary files on the remote host. (CVE-2020-3830 CVE-2020-3835 CVE-2020-3855) - An information disclosure vulnerability exists in the access control handling of applications. A malicious application crafted by attacker can exploit this to disclose the kernel memory layout. (CVE-2020-3836) - An arbitrary code exution vulnerability exists due to a memory corruption issue. A malicious application crafted by a remote attacker may be able to execute arbitrary code with kernel privileges on the remote host. (CVE-2020-3837 CVE-2020-3842 CVE-2020-3871) - An arbitrary code exution vulnerability exists due to a permissions logic flaw. A malicious application crafted by a remote attacker may be able to execute arbitrary code with system privileges on the remote host. (CVE-2019-18634 CVE-2020-3854 CVE-2020-3845 CVE-2020-3853 CVE-2020-3857) - An information disclosure vulnerability exists in the input sanitization logic. A malicious application crafted by attacker can exploit this to read restricted memory. (CVE-2020-3839 CVE-2020-3847) - An arbitrary code exution vulnerability exists due to the loading of a maliciously crafted racoon configuration file. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host. (CVE-2020-3840) - A denial of service (DoS) vulnerability exists due to a memory corruption issue. An unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the system to crash, stop responding, or corrupt the kernel memory. (CVE-2020-3843) - An arbitrary code exution vulnerability exists due to either a buffer overflow or out-of-bounds read issue. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host or cause an unexpected application to terminate. (CVE-2020-3846 CVE-2020-3848 CVE-2020-3849 CVE-2020-3850 CVE-2020-3877) - A memory corruption vulnerability exists due to a malicious crafted string. An unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the corruption of the heap memory. (CVE-2020-3856) - An security bypass vulnerability exists in the handling of files from an attacker controlled NFS mount. A remote attacker with local access could search for and open a file from an attacker controlled NFS mount and bypass Gatekeeper Security features. (CVE-2020-3866) - An information disclosure vulnerability exists where an application can read restricted memory. A local, authorized attacker can exploit this to read restricted memory. (CVE-2020-3872 CVE-2020-3875) Note that Nessus has not tested for this issue but has instead relied only on the operating system
    last seen2020-06-12
    modified2020-02-07
    plugin id133531
    published2020-02-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133531
    titlemacOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200305_SUDO_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634)
    last seen2020-03-18
    modified2020-03-09
    plugin id134346
    published2020-03-09
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134346
    titleScientific Linux Security Update : sudo on SL6.x i386/x86_64 (20200305)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2094.NASL
    descriptionA stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the pwfeedback option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id133414
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133414
    titleDebian DLA-2094-1 : sudo security update
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0025_SUDO.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has sudo packages installed that are affected by a vulnerability: - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. (CVE-2019-18634) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-05
    modified2020-05-27
    plugin id136908
    published2020-05-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136908
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : sudo Vulnerability (NS-SA-2020-0025)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1356.NASL
    descriptionIn Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. (CVE-2019-18634)
    last seen2020-03-23
    modified2020-03-19
    plugin id134682
    published2020-03-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134682
    titleAmazon Linux AMI : sudo (ALAS-2020-1356)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1404.NASL
    descriptionIn Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634)
    last seen2020-03-23
    modified2020-03-19
    plugin id134679
    published2020-03-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134679
    titleAmazon Linux 2 : sudo (ALAS-2020-1404)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-0540.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-17
    modified2020-02-19
    plugin id133770
    published2020-02-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133770
    titleCentOS 7 : sudo (CESA-2020:0540)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4263-1.NASL
    descriptionJoe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could possibly use this issue to obtain unintended access to the administrator account. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133449
    published2020-02-04
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133449
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : sudo vulnerability (USN-4263-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B4E5F782442D11EA9BA9206A8A720317.NASL
    descriptionTodd C. Miller reports : Sudo
    last seen2020-06-01
    modified2020-06-02
    plugin id133433
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133433
    titleFreeBSD : sudo -- Potential bypass of Runas user restrictions (b4e5f782-442d-11ea-9ba9-206a8a720317)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202003-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202003-12 (sudo: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in sudo. Please review the CVE identifiers referenced below for details. Impact : A local attacker could expose or corrupt memory information, inject code to be run as a root user or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-03-19
    modified2020-03-16
    plugin id134589
    published2020-03-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134589
    titleGLSA-202003-12 : sudo: Multiple vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1564.NASL
    descriptionAccording to the versions of the sudo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2019-19234) - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user.(CVE-2019-19232) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2020-05-01
    plugin id136267
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136267
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : sudo (EulerOS-SA-2020-1564)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1135.NASL
    descriptionAccording to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-02-24
    plugin id133936
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133936
    titleEulerOS 2.0 SP5 : sudo (EulerOS-SA-2020-1135)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1349.NASL
    descriptionAccording to the versions of the sudo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135136
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135136
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : sudo (EulerOS-SA-2020-1349)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1181.NASL
    descriptionAccording to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-02-25
    plugin id134015
    published2020-02-25
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134015
    titleEulerOS 2.0 SP8 : sudo (EulerOS-SA-2020-1181)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-244.NASL
    descriptionThis update for sudo fixes the following issues : Security issue fixed : - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed : - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-03-18
    modified2020-02-26
    plugin id134073
    published2020-02-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134073
    titleopenSUSE Security Update : sudo (openSUSE-2020-244)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-0540.NASL
    descriptionFrom Red Hat Security Advisory 2020:0540 : An update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2020-02-19
    plugin id133781
    published2020-02-19
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133781
    titleOracle Linux 7 : sudo (ELSA-2020-0540)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0407-1.NASL
    descriptionThis update for sudo fixes the following issue : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2020-02-20
    plugin id133831
    published2020-02-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133831
    titleSUSE SLES12 Security Update : sudo (SUSE-SU-2020:0407-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1435.NASL
    descriptionAccording to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-04-15
    plugin id135564
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135564
    titleEulerOS 2.0 SP3 : sudo (EulerOS-SA-2020-1435)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0509.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133713
    published2020-02-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133713
    titleRHEL 8 : sudo (RHSA-2020:0509)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-0726.NASL
    descriptionFrom Red Hat Security Advisory 2020:0726 : An update for sudo is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2020-03-09
    plugin id134341
    published2020-03-09
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134341
    titleOracle Linux 6 : sudo (ELSA-2020-0726)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0487.NASL
    descriptionAn update for sudo is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133712
    published2020-02-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133712
    titleRHEL 8 : sudo (RHSA-2020:0487)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/156189/sudo1825p-overflow.txt
idPACKETSTORM:156189
last seen2020-02-06
published2020-02-04
reporterJoe Vennix
sourcehttps://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html
titleSudo 1.8.25p Buffer Overflow

Redhat

advisories
  • bugzilla
    id1796944
    titleCVE-2019-18634 sudo: Stack based buffer overflow when pwfeedback is enabled
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentsudo-debugsource is earlier than 0:1.8.25p1-8.el8_1.1
            ovaloval:com.redhat.rhsa:tst:20200487001
          • commentsudo-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193694002
        • AND
          • commentsudo is earlier than 0:1.8.25p1-8.el8_1.1
            ovaloval:com.redhat.rhsa:tst:20200487003
          • commentsudo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363004
    rhsa
    idRHSA-2020:0487
    released2020-02-14
    severityImportant
    titleRHSA-2020:0487: sudo security update (Important)
  • bugzilla
    id1796944
    titleCVE-2019-18634 sudo: Stack based buffer overflow when pwfeedback is enabled
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentsudo-devel is earlier than 0:1.8.23-4.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20200540001
          • commentsudo-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363002
        • AND
          • commentsudo is earlier than 0:1.8.23-4.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20200540003
          • commentsudo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363004
    rhsa
    idRHSA-2020:0540
    released2020-02-19
    severityImportant
    titleRHSA-2020:0540: sudo security update (Important)
  • bugzilla
    id1796944
    titleCVE-2019-18634 sudo: Stack based buffer overflow when pwfeedback is enabled
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentsudo is earlier than 0:1.8.6p3-29.el6_10.3
            ovaloval:com.redhat.rhsa:tst:20200726001
          • commentsudo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363004
        • AND
          • commentsudo-devel is earlier than 0:1.8.6p3-29.el6_10.3
            ovaloval:com.redhat.rhsa:tst:20200726003
          • commentsudo-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20130363002
    rhsa
    idRHSA-2020:0726
    released2020-03-05
    severityImportant
    titleRHSA-2020:0726: sudo security update (Important)
  • rhsa
    idRHSA-2020:0509
rpms
  • sudo-0:1.8.25p1-8.el8_1.1
  • sudo-debuginfo-0:1.8.25p1-8.el8_1.1
  • sudo-debugsource-0:1.8.25p1-8.el8_1.1
  • sudo-0:1.8.25p1-4.el8_0.3
  • sudo-debuginfo-0:1.8.25p1-4.el8_0.3
  • sudo-debugsource-0:1.8.25p1-4.el8_0.3
  • sudo-0:1.8.23-4.el7_7.2
  • sudo-debuginfo-0:1.8.23-4.el7_7.2
  • sudo-devel-0:1.8.23-4.el7_7.2
  • sudo-0:1.8.6p3-29.el6_10.3
  • sudo-debuginfo-0:1.8.6p3-29.el6_10.3
  • sudo-devel-0:1.8.6p3-29.el6_10.3

The Hacker News

idTHN:726936F27D7083C4F7A589C56EE66303
last seen2020-02-03
modified2020-02-03
published2020-02-03
reporterThe Hacker News
sourcehttps://thehackernews.com/2020/02/sudo-linux-vulnerability.html
titleSudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root

References