A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers.
Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected. The bug only has an effect when the sudoers file (or LDAP sudoers data) using a host specification that grants permissions using an IP address with an associated netmask, e.g. 10.0.1.0/255.255.255.0 or 10.0.2.0/24.
Sudo supports granting access to commands on a per-host basis. The host specification may be in the form of a host name, a netgroup, an IP address, or an IP network (an IP address with an associated netmask).
When IPv6 support was added to sudo, a bug was introduced that caused the IPv6 network matching code to be called when an IPv4 network address does not match. Depending on the value of the uninitialized portion of the IPv6 address, it is possible for the IPv4 network number to match when it should not. This bug only affects IP network matching and does not affect simple IP address matching.
The reported configuration that exhibited the bug was an LDAP-based sudo installation where the sudoRole object contained multiple sudoHost entries, each containing a different IPv4 network. File- based sudoers should be affected as well as the same matching code is used.
Exploitation of the bug requires that the user already be in the sudoers file (or sudoers LDAP data) and be granted access to commands on hosts on one or more IPv4 networks.
If sudoers does not include IP networks in the host specification portion of the sudoers rules, the bug has no effect.
The bug can be worked around by using netgroups, host names or IP addresses in place of IP networks in sudoers.
The bug is fixed in sudo 1.8.4p5 and 1.7.9p1.
The issue was reported internally to Red Hat Bugzilla.