[sudo-announce] Security advisory for sudo 1.6.9p3 through 1.8.4p4
Todd C. Miller
Todd.Miller at courtesan.com
Wed May 16 10:01:45 EDT 2012
A flaw exists in the IP network matching code in sudo versions
1.6.9p3 through 1.8.4p4 that may result in the local host being
matched even though it is not actually part of the network
described by the IP address and associated netmask listed in
the sudoers file or in LDAP. As a result, users authorized to
run commands on certain IP networks may be able to run commands
on hosts that belong to other networks not explicitly listed
Sudo versions affected:
Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected.
The bug only has an effect when the sudoers file (or LDAP sudoers
data) using a host specification that grants permissions using
an IP address with an associated netmask, e.g. 10.0.1.0/255.255.255.0
This vulnerability has been assigned CVE 2012-2337 in the Common
Vulnerabilities and Exposures database.
Sudo supports granting access to commands on a per-host basis.
The host specification may be in the form of a host name, a
netgroup, an IP address, or an IP network (an IP address with
an associated netmask).
When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Deepending on the value of the
uninitialized portion of the IPv6 address, it is possible for
the IPv4 network number to match when it should not. This bug
only affects IP network matching and does not affect simple IP
The reported configuration that exhibited the bug was an
LDAP-based sudo installation where the sudoRole object contained
multiple sudoHost entries, each containing a different IPv4
network. File- based sudoers should be affected as well as the
same matching code is used.
Exploitation of the bug requires that the user already be in
the sudoers file (or sudoers LDAP data) and be granted access
to commands on hosts on one or more IPv4 networks.
If sudoers does not include IP networks in the host specification
portion of the sudoers rules, the bug has no effect.
The bug can be worked around by using netgroups, host names or
IP addresses in place of IP networks in sudoers.
The bug is fixed in sudo 1.8.4p5 and 1.7.9p1.
The newly release sudo 1.8.5 also contains the fix.
The issue was reported internally to Red Hat Bugzilla.
For a list of download mirror sites, see:
Sudo web site:
Sudo web site mirrors:
More information about the sudo-announce