AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
Back to discussions
Expand all | Collapse all

SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

Archive User

Archive UserThu October 17, 2019 05:12 AM

Originally posted by: kali0987 Hi , For the vulnerable ...

  • 1.  SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Tue October 15, 2019 09:07 AM

    Originally posted by: janhar


    This thread is started to follow status of CVE-2019-14287, which is fixed in 1.8.28

    https://sensorstechforum.com/cve-2019-14287-sudo-bug/

     



  • 2.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Tue October 15, 2019 09:23 AM

    Originally posted by: Edward Davignon


    Thanks.  I was trying to post this, but I kept getting kicked out with the message: You have been automatically logged out of the server due to inactivity. Copy any text you have entered to your clipboard so you won't lose it, then log in to start over.  Log in



  • 3.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Wed October 16, 2019 10:08 AM

    Originally posted by: sangameshm


    Okay.

    We will make this available on AIX toolbox in another 2-3 weeks.

     

    Thanks,

    Sangamesh



  • 4.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Mon November 11, 2019 03:30 AM

    Originally posted by: 7TWH_Tomas_Drabek


    Hello, please, do you have any update or ETA on this ?



  • 5.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Wed November 13, 2019 11:40 AM

    Originally posted by: sangameshm


    We will try make latest version available in 2 weeks.

     

    Thanks,



    Sangamesh



  • 6.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Tue December 03, 2019 03:39 AM

    Originally posted by: 7TWH_Tomas_Drabek


    Hello, any update ? I still see v1.8.27 in toolbox



  • 7.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Wed December 11, 2019 11:34 AM

    Originally posted by: sangameshm


    1.8.28 has been uploaded to AIX Toolbox.

    Please let us know if any issues.

     

    Thanks,

    Sangamesh



  • 8.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Thu October 17, 2019 05:12 AM
      |   view attached

    Originally posted by: kali0987


    Hi ,

     

    For the vulnerable  CVE-2019-14287 ?  Understand there is a work around from Redhat , i just want to check if this is also applicable for AIX as the sudoers behaviours should be come accross all UNIX platforms.

     

    Below is the work around details , please advise.

     

    The exclusioin is specified using a excalamation mark (!) . Instead of specifying root user just specify with user ID.

    someuser ALL=(ALL, !#0) /usr/bin/somecommand

    or by reference to a runas alias:

    runas_Alias MYGROUP = root, adminuser
    someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand.

    To ensure sudoers configuration is not effected by this vulnerabilty , recommendation is to examine each sudoers entry that includes the '!' character in the runas specification , to ensure that the root user is not among exclusions.

    Attachment(s)

    docx
    WorkaroundForSudoVulnerability_Note.docx   86 KB 1 version


  • 9.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Thu October 17, 2019 11:06 AM

    Originally posted by: Edward Davignon


    I have a test system that does not have users with uid = -1 or uid = "4294967295".  Is this system vulnerable?

    If I run the following test, it incorrectly reports that root (or any other user that runs this) is not in the sudoers file. 

    # export PS2=
# (
\export PS4='# '
\unset LIBPATH
\export PATH='/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin'
\set -x
\sudo -l
\id -u
\sudo '-u#-1' id
\sudo '-u#-2' id
\rpm -q sudo
\uname
\oslevel -s
)
# sudo -l
User root may run the following commands on [redacted hostname]:
    (ALL) ALL
# id -u
0
# sudo -u#-1 id
sudo: unable to set runas group vector: No such process
sudo: unable to set runas group vector: No such process
root is not in the sudoers file.  This incident will be reported.
# sudo -u#-2 id
uid=4294967294(nobody) gid=4294967294(nobody)
# rpm -q sudo
sudo-1.8.27-2.ppc
# uname
AIX
# oslevel -s
7200-03-03-1914
#


  • 10.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Sun October 20, 2019 11:05 PM

    Originally posted by: kali0987


    All,

       Anyone can confirm if SUDO 1.8.27 vulnerable to CVE-2019-14287 ? I could not reproduce the problem in AIX. If anyone could reproduce the problem or confirm if AIX is vulnerable would be helpful.



  • 11.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Mon October 21, 2019 02:43 AM

    Originally posted by: sangameshm


    We are checking on this one.

    As stated by some users already we are also seeing this error.

    $ sudo -u#-1 /usr/bin/id -u
    sudo: unable to set runas group vector: The process does not exist.
    sudo: unable to set runas group vector: No such process
    Password:

     

    In sudo it is discussed that this error is specific to AIX and introduced in sudo-1.8.25 and fixed in 1.8.26.

    But still i could see the same error. I am guessing it could be some configuration issue.

     https://www.sudo.ws/pipermail/sudo-users/2018-December/006162.html

     

    Thanks,

    Sangamesh

     



  • 12.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Mon October 21, 2019 03:59 AM

    Originally posted by: kali0987


    If we install 1.8.26 , AIX vulnerable with CVE-2019-14287  ?



  • 13.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Thu October 24, 2019 01:26 PM

    Originally posted by: sangameshm


    I don't think it makes any difference even if we have 1.8.26 but behaviour seems to different on AIX with -1 or 4294967295.

    If we have entry like this "bob myhost = (ALL,!root) /usr/bin/id" and running sudo as below.

    $ sudo -u#-1 /usr/bin/id
    sudo: unable to set runas group vector: The process does not exist.
    sudo: unable to set runas group vector: No such process

    $ sudo -u#4294967295 /usr/bin/id
    sudo: unable to set runas group vector: The process does not exist.
    sudo: unable to set runas group vector: No such process

    $ sudo -u#0 /usr/bin/id
    uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

    Need to check why with 0 id it is still allowing.

     

    Thanks,

    Sangamesh



  • 14.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Thu October 24, 2019 03:31 PM

    Originally posted by: Edward Davignon


    Here is a link to a clear and concise explanation of what the bug is and some of its implications for logging and authentication modules such as PAM.

    https://www.sudo.ws/alerts/minus_1_uid.html

    It also states:

    Sudo versions affected:

    Sudo versions prior to 1.8.28 are affected.



  • 15.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Thu October 24, 2019 03:37 PM

    Originally posted by: Edward Davignon


    What does "sudo -l" report?

     

    From "man sudoers":

              When multiple entries match for a user, they are applied in
              order.  Where there are multiple matches, the last match is
              used (which is not necessarily the most specific match).
    Not that I fully trust it, since it is not always clear for advanced usages such as the #include and #includedir directives or rules from LDAP or version specific side effects or changes.



  • 16.  Re: SUDO 1.8.27 vulnerable to CVE-2019-14287 - Fixed in 1.8.28

    Posted Fri October 25, 2019 12:41 PM

    Originally posted by: sangameshm


    Thanks for pointing this. I had some entries which was allowing to run with 0 id.

     

    $ sudo -l
    User sudocve may run the following commands on fvt-p7z17:
        (ALL, !root) /usr/bin/id
        (ALL : ALL) ALL

     

    After the change.


    bash-5.0$ sudo -l
    User sudocve may run the following commands on fvt-p7z17:
        (ALL, !root) /usr/bin/id
    bash-5.0$ sudo -u#0 /usr/bin/id
    Sorry, user sudocve is not allowed to execute '/usr/bin/id' as root on fvt-p7z17.

     

    Now this what i see now.

     

    bash-5.0$ sudo -u#-1 /usr/bin/id
    sudo: unable to set runas group vector: The process does not exist.
    sudo: unable to set runas group vector: No such process
    Password:
    sudocve is not in the sudoers file.  This incident will be reported.
    bash-5.0$ sudo -u#4294967295 /usr/bin/id
    sudo: unable to set runas group vector: The process does not exist.
    sudo: unable to set runas group vector: No such process
    Password:
    sudocve is not in the sudoers file.  This incident will be reported.
    bash-5.0$ sudo -u#0 /usr/bin/id
    Password:
    Sorry, user sudocve is not allowed to execute '/usr/bin/id' as root on fvt-p7z17

     

    Thanks,

    Sangamesh