Vulnerabilities > CVE-2019-19232 - Unspecified vulnerability in Sudo
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-8B563BC5F4.NASL description - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages Resolves: rhbz#1787823 - Stack based buffer overflow in when pwfeedback is enabled Resolves: rhbz#1796945 - fixes: CVE-2019-18634 - By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account Resolves: rhbz#1786709 - fixes CVE-2019-19234 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix Resolves: rhbz#1773148 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-03-06 plugin id 134253 published 2020-03-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134253 title Fedora 31 : sudo (2020-8b563bc5f4) NASL family MacOS X Local Security Checks NASL id MACOS_HT211100.NASL description The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.6 Security Update 2020-002, 10.14.x prior to 10.14.6 Security Update 2020-002, or 10.15.x prior to 10.15.4. It is, therefore, affected by multiple vulnerabilities : - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access. (CVE-2019-14615) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions. (CVE-2019-19232) - An out-of-bounds read error exists in Bluetooth due to improper input sanitization. An attacker can exploit this to read restricted memory. (CVE-2019-8853) - Privilege escalation vulnerabilities exist in IOThunderboltFamily (due to a use-after-free flaw), and in CUPS (due to a memory corruption issue). An attacker can exploit this to gain elevated access to the system. (CVE-2020-3851, CVE-2020-3898) - An information disclosure vulnerability exists in FaceTime, Icons, and Call History. An unauthenticated, local attacker can exploit this, via malicious applications, to disclose potentially sensitive information. (CVE-2020-3881, CVE-2020-9773, CVE-2020-9776) - An information disclosure vulnerability exists in Sandbox. A local user can exploit this to view sensitvie user information. (CVE-2020-3918) - An unspecified issue exists in AppleMobileFileIntegrity due to an unspecified reason. An attacker can exploit this to use arbitrary entitlements. (CVE-2020-3883) - An arbitrary code execution vulnerability exists in Mail due to improper input validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary JavaScript code. (CVE-2020-3884) - An arbitrary file read vulnerability exists in Time Machine due to improper state management. An unauthenticated, local attacker can exploit this to read arbitrary files and disclose sensitive information. (CVE-2020-3889) - An arbitrary code execution vulnerability exists in AppleGraphicsControl, Bluetooth, IOHIDFamily, and the kernel due to memory initialization and corruption issues. An attacker can exploit this to bypass authentication and execute arbitrary commands with kernel privileges. (CVE-2020-3892, CVE-2020-3893, CVE-2020-3904, CVE-2020-3905, CVE-2020-3919, CVE-2020-9785) - An arbitrary code execution vulnerability exists in Apple HSSPI Support due to a memory corruption issue. An attacker can exploit this to bypass authentication and execute arbitrary commands with system privileges. (CVE-2020-3903) - A logic issue exists in TCC due to an unspecified reason. An attacker can exploit this, via a maliciously crafted application, to cause bypass code signing. (CVE-2020-3906) - An out-of-bounds read error exists in Bluetooth due to improper input validation. An unauthenticated local attacker can exploit this to cause a denial of service or read kernel memory. (CVE-2020-3907, CVE-2020-3908, CVE-2020-3912) - A buffer overflow condition exists in libxml2 due to improper bounds checking and size validation. An attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2020-3909, CVE-2020-3910, CVE-2020-3911) - A privilege escalation vulnerability exists in due to improper permission validation. An unauthenticated, remote attacker can exploit this, to gain elevated access to the system. (CVE-2020-3913) - An information disclosure vulnerability exists in the kernel due to improper memory handling. An attacker can exploit this to read restricted memory. (CVE-2020-3914) - An arbitrary file overwrite vulnerability exists in Printing due improper path handlng. An attacker can exploit this to overwrite arbitrary files. (CVE-2020-3915) - Multiple unspecified issues exist in the Vim installation on macOS. An attacker can exploit this to cause an unknown impact. (CVE-2020-9769) - An unspecified vulnerability exists in sysdiagnose due to insufficient validation of user supplied input. An attacker could exploit this issue with partial impact on the confidentiality, integrity & availability of the application and/or system. (CVE-2020-9786) - An vulnerability exists in WebKit due to a logic flaw in restrictions. An attacker may exploit this flaw, as part of a more elaborate attack, to gain unauthorized access to the MacOS camera. (CVE-2020-9787) Note that Nessus has not tested for this issue but has instead relied only on the operating system last seen 2020-05-31 modified 2020-03-27 plugin id 134954 published 2020-03-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134954 title macOS 10.15.x < 10.15.4 / 10.14.x < 10.14.6 Security Update 2020-002 / 10.13.x < 10.13.6 Security Update 2020-002 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1564.NASL description According to the versions of the sudo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2019-19234) - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user.(CVE-2019-19232) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-05-01 plugin id 136267 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136267 title EulerOS Virtualization for ARM 64 3.0.2.0 : sudo (EulerOS-SA-2020-1564) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1135.NASL description According to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-02-24 plugin id 133936 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133936 title EulerOS 2.0 SP5 : sudo (EulerOS-SA-2020-1135) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1349.NASL description According to the versions of the sudo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-07 modified 2020-04-02 plugin id 135136 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135136 title EulerOS Virtualization for ARM 64 3.0.6.0 : sudo (EulerOS-SA-2020-1349) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1181.NASL description According to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-02-25 plugin id 134015 published 2020-02-25 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134015 title EulerOS 2.0 SP8 : sudo (EulerOS-SA-2020-1181) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0264_SUDO.NASL description An update of the sudo package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 132985 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132985 title Photon OS 1.0: Sudo PHSA-2020-1.0-0264 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1435.NASL description According to the versions of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.(CVE-2019-19232) - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash.(CVE-2019-19234) - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.(CVE-2019-18634) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-15 plugin id 135564 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135564 title EulerOS 2.0 SP3 : sudo (EulerOS-SA-2020-1435)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://seclists.org/fulldisclosure/2020/Mar/31
- http://seclists.org/fulldisclosure/2020/Mar/31
- https://access.redhat.com/security/cve/cve-2019-19232
- https://access.redhat.com/security/cve/cve-2019-19232
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870
- https://security.netapp.com/advisory/ntap-20200103-0004/
- https://security.netapp.com/advisory/ntap-20200103-0004/
- https://support.apple.com/en-gb/HT211100
- https://support.apple.com/en-gb/HT211100
- https://support.apple.com/kb/HT211100
- https://support.apple.com/kb/HT211100
- https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232
- https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232
- https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506
- https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506
- https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html
- https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html
- https://www.oracle.com/security-alerts/bulletinapr2020.html
- https://www.oracle.com/security-alerts/bulletinapr2020.html
- https://www.sudo.ws/devel.html#1.8.30b2
- https://www.sudo.ws/devel.html#1.8.30b2
- https://www.sudo.ws/stable.html
- https://www.sudo.ws/stable.html
- https://www.tenable.com/plugins/nessus/133936
- https://www.tenable.com/plugins/nessus/133936