Vulnerabilities > CVE-2019-18634 - Out-of-bounds Write vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
id | EDB-ID:47995 |
last seen | 2020-02-04 |
modified | 2020-02-04 |
published | 2020-02-04 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/47995 |
title | Sudo 1.8.25p - Buffer Overflow |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-8B563BC5F4.NASL description - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages Resolves: rhbz#1787823 - Stack based buffer overflow in when pwfeedback is enabled Resolves: rhbz#1796945 - fixes: CVE-2019-18634 - By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account Resolves: rhbz#1786709 - fixes CVE-2019-19234 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix Resolves: rhbz#1773148 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-03-06 plugin id 134253 published 2020-03-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134253 title Fedora 31 : sudo (2020-8b563bc5f4) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0726.NASL description An update for sudo is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2020-03-06 plugin id 134271 published 2020-03-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134271 title RHEL 6 : sudo (RHSA-2020:0726) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4614.NASL description Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the last seen 2020-06-01 modified 2020-06-02 plugin id 133417 published 2020-02-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133417 title Debian DSA-4614-1 : sudo - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0540.NASL description An update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2020-02-19 plugin id 133783 published 2020-02-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133783 title RHEL 7 : sudo (RHSA-2020:0540) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0408-1.NASL description This update for sudo fixes the following issues : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-02-20 plugin id 133832 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133832 title SUSE SLED15 / SLES15 Security Update : sudo (SUSE-SU-2020:0408-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0406-1.NASL description This update for sudo fixes the following issues : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-02-20 plugin id 133830 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133830 title SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2020:0406-1) NASL family Scientific Linux Local Security Checks NASL id SL_20200218_SUDO_ON_SL7_X.NASL description Security Fix(es) : - sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) last seen 2020-03-18 modified 2020-02-19 plugin id 133789 published 2020-02-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133789 title Scientific Linux Security Update : sudo on SL7.x x86_64 (20200218) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-0726.NASL description An update for sudo is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-17 modified 2020-03-11 plugin id 134385 published 2020-03-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134385 title CentOS 6 : sudo (CESA-2020:0726) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0409-1.NASL description This update for sudo fixes the following issues : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-02-20 plugin id 133833 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133833 title SUSE SLES12 Security Update : sudo (SUSE-SU-2020:0409-1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2020-031-01.NASL description New sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 133437 published 2020-02-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133437 title Slackware 14.0 / 14.1 / 14.2 / current : sudo (SSA:2020-031-01) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0390-1.NASL description This update for sudo fixes the following issue : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-02-19 plugin id 133790 published 2020-02-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133790 title SUSE SLES12 Security Update : sudo (SUSE-SU-2020:0390-1) NASL family MacOS X Local Security Checks NASL id MACOS_HT210919.NASL description The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.3, 10.13.x prior to 10.13.6, 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities: - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. (CVE-2019-11043) - An arbitrary code exution vulnerability exists due to a misconfiguration. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host. (CVE-2019-18634) - An arbitrary code exution vulnerability exists due to the ability to process a maliciously crafted image. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the remote host. (CVE-2020-3826 CVE-2020-3827 CVE-2020-3870 CVE-2020-3878) - A privilege escalation vulnerability exists in due to an out-of-bounds read issue. An unauthenticated, remote attacker can exploit this, to gain elevated access to the system. (CVE-2020-3829) - An arbitrary file write vulnerability exists in the handling of symlinks. A malicious program crafted by an attacker can exploit this to overwrite arbitrary files on the remote host. (CVE-2020-3830 CVE-2020-3835 CVE-2020-3855) - An information disclosure vulnerability exists in the access control handling of applications. A malicious application crafted by attacker can exploit this to disclose the kernel memory layout. (CVE-2020-3836) - An arbitrary code exution vulnerability exists due to a memory corruption issue. A malicious application crafted by a remote attacker may be able to execute arbitrary code with kernel privileges on the remote host. (CVE-2020-3837 CVE-2020-3842 CVE-2020-3871) - An arbitrary code exution vulnerability exists due to a permissions logic flaw. A malicious application crafted by a remote attacker may be able to execute arbitrary code with system privileges on the remote host. (CVE-2019-18634 CVE-2020-3854 CVE-2020-3845 CVE-2020-3853 CVE-2020-3857) - An information disclosure vulnerability exists in the input sanitization logic. A malicious application crafted by attacker can exploit this to read restricted memory. (CVE-2020-3839 CVE-2020-3847) - An arbitrary code exution vulnerability exists due to the loading of a maliciously crafted racoon configuration file. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host. (CVE-2020-3840) - A denial of service (DoS) vulnerability exists due to a memory corruption issue. An unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the system to crash, stop responding, or corrupt the kernel memory. (CVE-2020-3843) - An arbitrary code exution vulnerability exists due to either a buffer overflow or out-of-bounds read issue. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host or cause an unexpected application to terminate. (CVE-2020-3846 CVE-2020-3848 CVE-2020-3849 CVE-2020-3850 CVE-2020-3877) - A memory corruption vulnerability exists due to a malicious crafted string. An unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the corruption of the heap memory. (CVE-2020-3856) - An security bypass vulnerability exists in the handling of files from an attacker controlled NFS mount. A remote attacker with local access could search for and open a file from an attacker controlled NFS mount and bypass Gatekeeper Security features. (CVE-2020-3866) - An information disclosure vulnerability exists where an application can read restricted memory. A local, authorized attacker can exploit this to read restricted memory. (CVE-2020-3872 CVE-2020-3875) Note that Nessus has not tested for this issue but has instead relied only on the operating system last seen 2020-06-12 modified 2020-02-07 plugin id 133531 published 2020-02-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133531 title macOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6 NASL family Scientific Linux Local Security Checks NASL id SL_20200305_SUDO_ON_SL6_X.NASL description Security Fix(es) : - sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) last seen 2020-03-18 modified 2020-03-09 plugin id 134346 published 2020-03-09 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134346 title Scientific Linux Security Update : sudo on SL6.x i386/x86_64 (20200305) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2094.NASL description A stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the pwfeedback option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 133414 published 2020-02-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133414 title Debian DLA-2094-1 : sudo security update NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2020-0025_SUDO.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has sudo packages installed that are affected by a vulnerability: - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. (CVE-2019-18634) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-05-27 plugin id 136908 published 2020-05-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136908 title NewStart CGSL CORE 5.04 / MAIN 5.04 : sudo Vulnerability (NS-SA-2020-0025) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1356.NASL description In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. (CVE-2019-18634) last seen 2020-03-23 modified 2020-03-19 plugin id 134682 published 2020-03-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134682 title Amazon Linux AMI : sudo (ALAS-2020-1356) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1404.NASL description In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) last seen 2020-03-23 modified 2020-03-19 plugin id 134679 published 2020-03-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134679 title Amazon Linux 2 : sudo (ALAS-2020-1404) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-0540.NASL description An update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-17 modified 2020-02-19 plugin id 133770 published 2020-02-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133770 title CentOS 7 : sudo (CESA-2020:0540) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4263-1.NASL description Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could possibly use this issue to obtain unintended access to the administrator account. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133449 published 2020-02-04 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133449 title Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : sudo vulnerability (USN-4263-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B4E5F782442D11EA9BA9206A8A720317.NASL description Todd C. Miller reports : Sudo last seen 2020-06-01 modified 2020-06-02 plugin id 133433 published 2020-02-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133433 title FreeBSD : sudo -- Potential bypass of Runas user restrictions (b4e5f782-442d-11ea-9ba9-206a8a720317) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-12.NASL description The remote host is affected by the vulnerability described in GLSA-202003-12 (sudo: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in sudo. Please review the CVE identifiers referenced below for details. Impact : A local attacker could expose or corrupt memory information, inject code to be run as a root user or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-03-19 modified 2020-03-16 plugin id 134589 published 2020-03-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134589 title GLSA-202003-12 : sudo: Multiple vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1564.NASL description According to the versions of the sudo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2019-19234) - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user.(CVE-2019-19232) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-05-01 plugin id 136267 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136267 title EulerOS Virtualization for ARM 64 3.0.2.0 : sudo (EulerOS-SA-2020-1564) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1135.NASL description According to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-02-24 plugin id 133936 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133936 title EulerOS 2.0 SP5 : sudo (EulerOS-SA-2020-1135) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1349.NASL description According to the versions of the sudo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-07 modified 2020-04-02 plugin id 135136 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135136 title EulerOS Virtualization for ARM 64 3.0.6.0 : sudo (EulerOS-SA-2020-1349) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1181.NASL description According to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-02-25 plugin id 134015 published 2020-02-25 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134015 title EulerOS 2.0 SP8 : sudo (EulerOS-SA-2020-1181) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-244.NASL description This update for sudo fixes the following issues : Security issue fixed : - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed : - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-03-18 modified 2020-02-26 plugin id 134073 published 2020-02-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134073 title openSUSE Security Update : sudo (openSUSE-2020-244) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-0540.NASL description From Red Hat Security Advisory 2020:0540 : An update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2020-02-19 plugin id 133781 published 2020-02-19 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133781 title Oracle Linux 7 : sudo (ELSA-2020-0540) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0407-1.NASL description This update for sudo fixes the following issue : Security issue fixed : CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-02-20 plugin id 133831 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133831 title SUSE SLES12 Security Update : sudo (SUSE-SU-2020:0407-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1435.NASL description According to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-15 plugin id 135564 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135564 title EulerOS 2.0 SP3 : sudo (EulerOS-SA-2020-1435) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0509.NASL description An update for sudo is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133713 published 2020-02-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133713 title RHEL 8 : sudo (RHSA-2020:0509) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-0726.NASL description From Red Hat Security Advisory 2020:0726 : An update for sudo is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2020-03-09 plugin id 134341 published 2020-03-09 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134341 title Oracle Linux 6 : sudo (ELSA-2020-0726) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0487.NASL description An update for sudo is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * sudo: Stack based buffer overflow when pwfeedback is enabled (CVE-2019-18634) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133712 published 2020-02-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133712 title RHEL 8 : sudo (RHSA-2020:0487)
Packetstorm
data source | https://packetstormsecurity.com/files/download/156189/sudo1825p-overflow.txt |
id | PACKETSTORM:156189 |
last seen | 2020-02-06 |
published | 2020-02-04 |
reporter | Joe Vennix |
source | https://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html |
title | Sudo 1.8.25p Buffer Overflow |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
The Hacker News
id | THN:726936F27D7083C4F7A589C56EE66303 |
last seen | 2020-02-03 |
modified | 2020-02-03 |
published | 2020-02-03 |
reporter | The Hacker News |
source | https://thehackernews.com/2020/02/sudo-linux-vulnerability.html |
title | Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html
- http://packetstormsecurity.com/files/156174/Slackware-Security-Advisory-sudo-Updates.html
- http://packetstormsecurity.com/files/156174/Slackware-Security-Advisory-sudo-Updates.html
- http://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html
- http://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html
- http://seclists.org/fulldisclosure/2020/Jan/40
- http://seclists.org/fulldisclosure/2020/Jan/40
- http://www.openwall.com/lists/oss-security/2020/01/30/6
- http://www.openwall.com/lists/oss-security/2020/01/30/6
- http://www.openwall.com/lists/oss-security/2020/01/31/1
- http://www.openwall.com/lists/oss-security/2020/01/31/1
- http://www.openwall.com/lists/oss-security/2020/02/05/2
- http://www.openwall.com/lists/oss-security/2020/02/05/2
- http://www.openwall.com/lists/oss-security/2020/02/05/5
- http://www.openwall.com/lists/oss-security/2020/02/05/5
- https://access.redhat.com/errata/RHSA-2020:0487
- https://access.redhat.com/errata/RHSA-2020:0487
- https://access.redhat.com/errata/RHSA-2020:0509
- https://access.redhat.com/errata/RHSA-2020:0509
- https://access.redhat.com/errata/RHSA-2020:0540
- https://access.redhat.com/errata/RHSA-2020:0540
- https://access.redhat.com/errata/RHSA-2020:0726
- https://access.redhat.com/errata/RHSA-2020:0726
- https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html
- https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
- https://seclists.org/bugtraq/2020/Feb/2
- https://seclists.org/bugtraq/2020/Feb/2
- https://seclists.org/bugtraq/2020/Feb/3
- https://seclists.org/bugtraq/2020/Feb/3
- https://seclists.org/bugtraq/2020/Jan/44
- https://seclists.org/bugtraq/2020/Jan/44
- https://security.gentoo.org/glsa/202003-12
- https://security.gentoo.org/glsa/202003-12
- https://security.netapp.com/advisory/ntap-20200210-0001/
- https://security.netapp.com/advisory/ntap-20200210-0001/
- https://support.apple.com/kb/HT210919
- https://support.apple.com/kb/HT210919
- https://usn.ubuntu.com/4263-1/
- https://usn.ubuntu.com/4263-1/
- https://usn.ubuntu.com/4263-2/
- https://usn.ubuntu.com/4263-2/
- https://www.debian.org/security/2020/dsa-4614
- https://www.debian.org/security/2020/dsa-4614
- https://www.sudo.ws/alerts/pwfeedback.html
- https://www.sudo.ws/alerts/pwfeedback.html
- https://www.sudo.ws/security.html
- https://www.sudo.ws/security.html