[sudo-announce] Security advisory for sudo 1.6.9p3 through 1.8.4p4

Todd C. Miller Todd.Miller at courtesan.com
Wed May 16 10:01:45 EDT 2012


Summary:
    A flaw exists in the IP network matching code in sudo versions
    1.6.9p3 through 1.8.4p4 that may result in the local host being
    matched even though it is not actually part of the network
    described by the IP address and associated netmask listed in
    the sudoers file or in LDAP.  As a result, users authorized to
    run commands on certain IP networks may be able to run commands
    on hosts that belong to other networks not explicitly listed
    in sudoers.

Sudo versions affected:
    Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected.
    The bug only has an effect when the sudoers file (or LDAP sudoers
    data) using a host specification that grants permissions using
    an IP address with an associated netmask, e.g. 10.0.1.0/255.255.255.0
    or 10.0.2.0/24.

CVE ID:
    This vulnerability has been assigned CVE 2012-2337 in the Common
    Vulnerabilities and Exposures database.

Details:
    Sudo supports granting access to commands on a per-host basis.
    The host specification may be in the form of a host name, a
    netgroup, an IP address, or an IP network (an IP address with
    an associated netmask).

    When IPv6 support was added to sudo, a bug was introduced that
    caused the IPv6 network matching code to be called when an IPv4
    network address does not match.  Deepending on the value of the
    uninitialized portion of the IPv6 address, it is possible for
    the IPv4 network number to match when it should not.  This bug
    only affects IP network matching and does not affect simple IP
    address matching.

    The reported configuration that exhibited the bug was an
    LDAP-based sudo installation where the sudoRole object contained
    multiple sudoHost entries, each containing a different IPv4
    network.  File- based sudoers should be affected as well as the
    same matching code is used.

Impact:
    Exploitation of the bug requires that the user already be in
    the sudoers file (or sudoers LDAP data) and be granted access
    to commands on hosts on one or more IPv4 networks.

    If sudoers does not include IP networks in the host specification
    portion of the sudoers rules, the bug has no effect.

Workaround:
    The bug can be worked around by using netgroups, host names or
    IP addresses in place of IP networks in sudoers.

Fix:
    The bug is fixed in sudo 1.8.4p5 and 1.7.9p1.
    The newly release sudo 1.8.5 also contains the fix.

Credit:
    The issue was reported internally to Red Hat Bugzilla.

Source:
    http://www.sudo.ws/sudo/dist/sudo-1.8.5.tar.gz
    http://www.sudo.ws/sudo/dist/sudo-1.8.4p5.tar.gz
    http://www.sudo.ws/sudo/dist/sudo-1.7.9p1.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.8.5.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.8.4p5.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.9p1.tar.gz

Binary packages:
    http://www.sudo.ws/sudo/download.html#binary

For a list of download mirror sites, see:
    http://www.sudo.ws/sudo/download_mirrors.html

Sudo web site:
    http://www.sudo.ws/sudo/

Sudo web site mirrors:
    http://www.sudo.ws/sudo/mirrors.html



More information about the sudo-announce mailing list