Hello Team

We have AIX Servers running on 7100-05-06/07, 7200-04-02 & 7200-05-01 versions, we want to install the latest SUDO version available to cover the recent vulnerability. When checked, I see we have SUDO-ldap.rte is installed & can be listed with lslpp commands & it is not installed as RPM/YUM way. Please help us on how to get the latest version of appropriate SUDO installed on our servers with no outage.

I did try installing the sudo RPM package downloaded from ToolBox site & ended up breaking the existing SUDO privileges & it even stopped direct root login through HMC. I wasnt sure of which SUDO RPM packaged to download & use in my case. We are also planning to get our servers upgraded to 7158_2114 & 7252_2114, does it cover the vulnerability by any chance. If not please pass me instruction on from where/how to download & install the latest SUDO-ldap.rte package

(tsauti04.hban.us:/)# oslevel -s
7200-05-01-2038
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i sudo
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i rpm.rte
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# rpm -qa | grep -i sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudoedit
/usr/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudoedit
lrwxrwxrwx 1 root system 26 May 20 15:43 /usr/bin/sudoedit -> /opt/freeware/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudoedit
lrwxrwxrwx 1 root system 4 May 20 15:44 /opt/freeware/bin/sudoedit -> sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudo
/usr/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudo
lrwxrwxrwx 1 root system 22 May 20 15:43 /usr/bin/sudo -> /opt/freeware/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudo
-rwsr-xr-x 1 root system 828604 Jun 27 2017 /opt/freeware/bin/sudo
(tsauti04.hban.us:/)#

------------------------------
Satish Raj
------------------------------

I am not sure from where did you get the sudo first time. 
It does not look from AIX toolbox. 
If you are only interested in sudo package you can look at sudo.ws site where AIX packages are provided in installp format as well.
Not sure if they have ldap support. 
https://www.sudo.ws/download.html#binary

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Fri May 21, 2021 03:05 PM
From: Satish Raj
Subject: How to correct the SUDO Vulnerability - CVE-2021-3156

Hello Team

We have AIX Servers running on 7100-05-06/07, 7200-04-02 & 7200-05-01 versions, we want to install the latest SUDO version available to cover the recent vulnerability. When checked, I see we have SUDO-ldap.rte is installed & can be listed with lslpp commands & it is not installed as RPM/YUM way. Please help us on how to get the latest version of appropriate SUDO installed on our servers with no outage.

I did try installing the sudo RPM package downloaded from ToolBox site & ended up breaking the existing SUDO privileges & it even stopped direct root login through HMC. I wasnt sure of which SUDO RPM packaged to download & use in my case. We are also planning to get our servers upgraded to 7158_2114 & 7252_2114, does it cover the vulnerability by any chance. If not please pass me instruction on from where/how to download & install the latest SUDO-ldap.rte package

(tsauti04.hban.us:/)# oslevel -s
7200-05-01-2038
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i sudo
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i rpm.rte
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# rpm -qa | grep -i sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudoedit
/usr/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudoedit
lrwxrwxrwx 1 root system 26 May 20 15:43 /usr/bin/sudoedit -> /opt/freeware/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudoedit
lrwxrwxrwx 1 root system 4 May 20 15:44 /opt/freeware/bin/sudoedit -> sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudo
/usr/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudo
lrwxrwxrwx 1 root system 22 May 20 15:43 /usr/bin/sudo -> /opt/freeware/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudo
-rwsr-xr-x 1 root system 828604 Jun 27 2017 /opt/freeware/bin/sudo
(tsauti04.hban.us:/)#

------------------------------
Satish Raj
------------------------------

Regarding AIX toolbox there are three sudo packages.
1. sudo_noldap : Sudo with no ldap supprot
2. sudo : Sudo with open ldap supprot
3. sudo_ids : Sudo with IBM Directory Server support.

So based on your requirement you should download the package. Also make sure you uninstall the existing sudo installp otherwise it can create conflict. 
You can choose based on your need which sudo you want.

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Fri May 21, 2021 03:05 PM
From: Satish Raj
Subject: How to correct the SUDO Vulnerability - CVE-2021-3156

Hello Team

We have AIX Servers running on 7100-05-06/07, 7200-04-02 & 7200-05-01 versions, we want to install the latest SUDO version available to cover the recent vulnerability. When checked, I see we have SUDO-ldap.rte is installed & can be listed with lslpp commands & it is not installed as RPM/YUM way. Please help us on how to get the latest version of appropriate SUDO installed on our servers with no outage.

I did try installing the sudo RPM package downloaded from ToolBox site & ended up breaking the existing SUDO privileges & it even stopped direct root login through HMC. I wasnt sure of which SUDO RPM packaged to download & use in my case. We are also planning to get our servers upgraded to 7158_2114 & 7252_2114, does it cover the vulnerability by any chance. If not please pass me instruction on from where/how to download & install the latest SUDO-ldap.rte package

(tsauti04.hban.us:/)# oslevel -s
7200-05-01-2038
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i sudo
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i rpm.rte
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# rpm -qa | grep -i sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudoedit
/usr/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudoedit
lrwxrwxrwx 1 root system 26 May 20 15:43 /usr/bin/sudoedit -> /opt/freeware/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudoedit
lrwxrwxrwx 1 root system 4 May 20 15:44 /opt/freeware/bin/sudoedit -> sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudo
/usr/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudo
lrwxrwxrwx 1 root system 22 May 20 15:43 /usr/bin/sudo -> /opt/freeware/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudo
-rwsr-xr-x 1 root system 828604 Jun 27 2017 /opt/freeware/bin/sudo
(tsauti04.hban.us:/)#

------------------------------
Satish Raj
------------------------------

Hi Sanket, I appreciate your response. I was able to complete the SUDO_IDS rpm install, post uninstalling sudo-ldap.rte package. but looks like the SUDO is broken again with below errors, Could you help me overcoming this issue.

Through an existing ROOT User session taken prior to rpm upgrade
(tsauti04.hban.us:/home/h010600pa)# lslpp -l | grep -i sudo
(tsauti04.hban.us:/home/h010600pa)#
(tsauti04.hban.us:/home/h010600pa)# rpm -qa | grep -i sudo
sudo_ids-1.9.5p2-1.ppc
(tsauti04.hban.us:/home/h010600pa)# which sudo
/usr/bin/sudo
(tsauti04.hban.us:/home/h010600pa)# ldd /usr/bin/sudo
/usr/bin/sudo needs:
/opt/freeware/libexec/sudo/libsudo_util.so
/usr/lib/libibmldap.a
/usr/lib/libintl.a(libintl.so.8)
/usr/lib/libpthread.a(shr_xpg5.o)
/usr/lib/libc.a(shr.o)
/usr/lib/librtl.a(shr.o)
/usr/lib/libpthreads.a(shr_xpg5.o)
/opt/IBM/ldap/V6.1/lib/libibmldapdbg.a
/opt/IBM/ldap/V6.1/lib/libidsldapiconv.a
/opt/freeware/lib/libgcc_s.a(shr.o)
/opt/freeware/lib/libiconv.a(libiconv.so.2)
/unix
/usr/lib/libpthreads.a(shr_comm.o)
/usr/lib/libcrypt.a(shr.o)
/usr/lib/libc_r.a(shr.o)
(tsauti04.hban.us:/home/h010600pa)#
(tsauti04.hban.us:/home/h010600pa)# sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required
(tsauti04.hban.us:/home/h010600pa)#

Through non-root user session, post sudo rpm upgrade
$ sudo su -
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
$

grep sudo /etc/pam.conf --> No entries as suggested on other discussion threads, Looks consistent on failing & other working servers
/etc/pam.d --> No such directory on failing & other working servers

(tsauti04.hban.us:/home/h010600pa)# lsuser -a expires root
root expires=0
(tsauti04.hban.us:/home/h010600pa)# lsuser -a login rlogin root
root login=true rlogin=false
(tsauti04.hban.us:/home/h010600pa)#

Thanks

------------------------------
Satish Raj
------------------------------

Original Message:
Sent: Mon May 24, 2021 01:47 AM
From: SANKET RATHI
Subject: How to correct the SUDO Vulnerability - CVE-2021-3156

Regarding AIX toolbox there are three sudo packages.
1. sudo_noldap : Sudo with no ldap supprot
2. sudo : Sudo with open ldap supprot
3. sudo_ids : Sudo with IBM Directory Server support.

So based on your requirement you should download the package. Also make sure you uninstall the existing sudo installp otherwise it can create conflict. 
You can choose based on your need which sudo you want.

------------------------------
SANKET RATHI

Original Message:
Sent: Fri May 21, 2021 03:05 PM
From: Satish Raj
Subject: How to correct the SUDO Vulnerability - CVE-2021-3156

Hello Team

We have AIX Servers running on 7100-05-06/07, 7200-04-02 & 7200-05-01 versions, we want to install the latest SUDO version available to cover the recent vulnerability. When checked, I see we have SUDO-ldap.rte is installed & can be listed with lslpp commands & it is not installed as RPM/YUM way. Please help us on how to get the latest version of appropriate SUDO installed on our servers with no outage.

I did try installing the sudo RPM package downloaded from ToolBox site & ended up breaking the existing SUDO privileges & it even stopped direct root login through HMC. I wasnt sure of which SUDO RPM packaged to download & use in my case. We are also planning to get our servers upgraded to 7158_2114 & 7252_2114, does it cover the vulnerability by any chance. If not please pass me instruction on from where/how to download & install the latest SUDO-ldap.rte package

(tsauti04.hban.us:/)# oslevel -s
7200-05-01-2038
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i sudo
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
sudo-ldap.rte 1.8.20.2 COMMITTED Configurable super-user
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# lslpp -l | grep -i rpm.rte
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
rpm.rte 4.15.1.1 COMMITTED RPM Package Manager
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# rpm -qa | grep -i sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudoedit
/usr/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudoedit
lrwxrwxrwx 1 root system 26 May 20 15:43 /usr/bin/sudoedit -> /opt/freeware/bin/sudoedit
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudoedit
lrwxrwxrwx 1 root system 4 May 20 15:44 /opt/freeware/bin/sudoedit -> sudo
(tsauti04.hban.us:/)#
(tsauti04.hban.us:/)# which sudo
/usr/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /usr/bin/sudo
lrwxrwxrwx 1 root system 22 May 20 15:43 /usr/bin/sudo -> /opt/freeware/bin/sudo
(tsauti04.hban.us:/)# ls -lrt /opt/freeware/bin/sudo
-rwsr-xr-x 1 root system 828604 Jun 27 2017 /opt/freeware/bin/sudo
(tsauti04.hban.us:/)#

------------------------------
Satish Raj
------------------------------