May 16, 2012
A flaw exists in the IP network matching code in sudo versions
1.6.9p3 through 1.8.4p4 that may result in the local host being
matched even though it is not actually part of the network described
by the IP address and associated netmask listed in the sudoers file
or in LDAP. As a result, users authorized to run commands on certain
IP networks may be able to run commands on hosts that belong to
other networks not explicitly listed in sudoers.
Sudo versions affected:
Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected. The
bug only has an effect when the sudoers file (or LDAP sudoers data)
using a host specification that grants permissions using an IP
address with an associated netmask, e.g. 10.0.1.0/255.255.255.0 or
This vulnerability has been assigned CVE-2012-2337
in the Common Vulnerabilities and
Sudo supports granting access to commands on a per-host basis. The
host specification may be in the form of a host name, a netgroup,
an IP address, or an IP network (an IP address with an associated
When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Depending on the value of the
uninitialized portion of the IPv6 address, it is possible for the
IPv4 network number to match when it should not. This bug only
affects IP network matching and does not affect simple IP address
The reported configuration that exhibited the bug was an LDAP-based
sudo installation where the sudoRole object contained multiple
sudoHost entries, each containing a different IPv4 network. File-
based sudoers should be affected as well as the same matching code
Exploitation of the bug requires that the user already be in the
sudoers file (or sudoers LDAP data) and be granted access to commands
on hosts on one or more IPv4 networks.
If sudoers does not include IP networks in the host specification
portion of the sudoers rules, the bug has no effect.
The bug can be worked around by using netgroups, host names or IP
addresses in place of IP networks in sudoers.
The bug is fixed in sudo 1.8.4p5 and 1.7.9p1.
The issue was reported internally to Red Hat Bugzilla.