955994 – (CVE-2015-8239) VUL-0: CVE-2015-8239: sudo: Race condition when checking digests in sudoers

Bug 955994 (CVE-2015-8239) - VUL-0: CVE-2015-8239: sudo: Race condition when checking digests in sudoers

Summary: VUL-0: CVE-2015-8239: sudo: Race condition when checking digests in sudoers

Status:	RESOLVED WONTFIX

Alias:	CVE-2015-8239

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Kristyna Streitova
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/158929/
Whiteboard:	CVSSv2:SUSE:CVE-2015-8239:4.6:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-11-20 09:07 UTC by Johannes Segitz
Modified:	2017-06-13 14:38 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-11-20 09:07:07 UTC

rh#1283635

A vulnerability in functionality for adding support of SHA-2 digests along with the command was found. The sudoers plugin performs this digest verification while matching rules, and later independently calls execve() to execute the binary. This results in a race condition if the digest functionality is used as suggested (in fact, the rules are matched before the user is prompted for a password, so there is not negligible time frame to replace the binary from underneath sudo). Versions affected are since 1.8.7.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283635
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8239
http://seclists.org/oss-sec/2015/q4/327
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8239.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8239

Comment 2 Swamp Workflow Management 2015-11-20 23:00:15 UTC

bugbot adjusting priority

Comment 3 Kristyna Streitova 2015-12-01 21:46:34 UTC

There is a running update for this issue but according to upstream hg and changelog there doesn't seem to be any patch yet. I suggest to wait for the upstream to fix this properly (it appears that the fix won't be a trivial one).

Comment 4 Kristyna Streitova 2016-04-07 11:45:34 UTC

There are some changes in upstream regarding this issue. They added the support for using fexecve() and warning in the documentation that it's not safe if the user has a write access to the command itself.

- https://www.sudo.ws/repos/sudo/rev/397722cdd7ec
- https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195

The problem is, that this is not a proper solution. Please see comment 7 in the RH Bugzilla [1] for more information.

It seems that upstream considers this issue closed.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1283635

Comment 6 Marcus Meissner 2016-08-19 11:44:50 UTC

I have to agree that it would be better to document that allowing sudo of binaries in user writable directories should be avoided, as it is hard to make safe. (And I do not see this as a common use case.)

Comment 7 Marcus Meissner 2016-08-19 11:46:50 UTC

bin/addnote CVE-2015-8239 "This issue is only a problem if you allow sudo of specific binaries in user writable locations (and checking them with SHA2 digests). This scenario does not seem common, and we recommend not to allow sudo executing specific binaries in userwritable locations."

for cve page

Comment 8 Marcus Meissner 2017-06-12 10:10:05 UTC

will not be fixed code wise.