Request a Demo

Widespread CVE-2019-14287 is Out, But a Workaround's Available

The team responsible for sudo, a popular Linux command-line tool, published a new security alert under CVE-2019-14287. It has a high CVSS score of 8.8, and Vulcan Cyber’s threat intel has found it to be exploitable. This would result in it posing a high-to-critical risk in most environments. 

Suggested remediation measures 

In order to remediate this vulnerability, you can deploy the patch provided by the vendor or make sure your sudo version is not prior to 1.8.28. Alternatively, there is a configuration check available: 

  • This vulnerability only affects configurations of sudo that have a runas user list that includes an exclusion of root. The simplest example is: 
someuser ALL=(ALL, !root) /usr/bin/somecommand 
  • The exclusion is specified using an exclamation mark (!). In this example, the "root" user is specified by name. The root user may also be identified in other ways, such as by user id: 
  • someuser ALL=(ALL, !#0) /usr/bin/somecommand 
  •  
  • Or by reference to a runas alias: 
  • Runas_Alias MYGROUP = root, adminuser 
    someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand 
  • To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d 

(from Red Hat) 

  • Alternatively, you can see if you are affected by running these commands:

    • cat /etc/sudoers | grep “(\s*ALL\s*,\s*\!root\s*)” 
    • cat /etc/sudoers | grep “(\s*ALL\s*,\s*\!#0\s*)” 

About the vulnerability

The security flaw could enable a malicious user to execute arbitrary commands as root user even in cases where the root access is disallowed. Considering how widespread sudo usage is among Linux users, it’s no surprise that everybody’s talking about the security vulnerability. 

Details:

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:

myhost bob = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running "sudo-u#-1 vi", violating the security policy.

Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:

myhost alice = /usr/bin/id

In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.

(from Openwall)

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

The number of vulnerabilities uncovered daily has long exceeded what security teams can possibly address. The key to success in vulnerability ...
Read more

11.1.2018 | vulnerabilities

| Posted by Roy Horev
The best way to share information about the risks associated with vulnerabilities is via quantifying these risks – i.e. metrics. The question is, ...
Read more
  With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough ...
Read more