AIX Open Source

 View Only
  • 1.  Sudo.rte with vulnerability

    Posted Tue July 27, 2021 02:26 PM
    We upgraded from AIX 6.1 to 7.2 and found that server had vulnerabilities on  sudo.rte  . AIX 6.1 is not update date as it is out of scope.

    Currently server had below sudo version with  AIX 7.2  , Can I install directly  rpm package sudo_ids-1.9.5p2-1.ppc ? or  do I have to remove sudo.rte  before installing sudo_ids-1.9.5p2-1.ppc ? 

    --> lslpp -l |grep sudo
    sudo.rte 1.8.20.2 COMMITTED Configurable super-user
    sudo.rte 1.8.20.2 COMMITTED Configurable super-user

    --> oslevel -s
    7200-04-01-1939



    ------------------------------
    Nag N
    ------------------------------


  • 2.  RE: Sudo.rte with vulnerability

    Posted Wed July 28, 2021 09:10 AM
    Hello
    I noticed you did initiate a thread per the recommendation in the case. 
    Since I work as a liaison with the AIX OSS team, I try to keep an eye on case-to-forum transitions.
     
    I am providing the info I had shared in the case, as reference, and the team may have additional comments.

    As mentioned, IBM (AIX or AIX Toolbox for Linux Applications) does not provide that file set, so cannot make any official assessments about this. 
    Since the version is vulnerable, I would think it is best to uninstall it.

    If you do not want to remove it, you could compare the package listing to lslpp -f sudo.rte, to see if there are any conflicts.

    # rpm -qpl http://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.9.5p2-1.aix6.1.ppc.rpm

    /etc/rc.d/init.d/sudo
    /etc/rc.d/rc2.d/S90sudo
    /etc/sudoers
    /etc/sudoers.d
    /opt/freeware/bin/sudo
    /opt/freeware/bin/sudo_32
    /opt/freeware/bin/sudo_64
    /opt/freeware/bin/sudoedit
    /opt/freeware/bin/sudoedit_32
    /opt/freeware/bin/sudoedit_64
    /opt/freeware/bin/sudoreplay
    /opt/freeware/bin/sudoreplay_32
    /opt/freeware/bin/sudoreplay_64
    /opt/freeware/doc/sudo-1.9.5p2
    /opt/freeware/doc/sudo-1.9.5p2/HISTORY
    /opt/freeware/doc/sudo-1.9.5p2/INSTALL
    /opt/freeware/doc/sudo-1.9.5p2/LICENSE
    /opt/freeware/doc/sudo-1.9.5p2/NEWS
    /opt/freeware/doc/sudo-1.9.5p2/README
    /opt/freeware/doc/sudo-1.9.5p2/README.LDAP
    /opt/freeware/doc/sudo-1.9.5p2/TROUBLESHOOTING
    /opt/freeware/doc/sudo-1.9.5p2/UPGRADE
    /opt/freeware/include/sudo_plugin.h
    /opt/freeware/libexec/sudo
    /opt/freeware/libexec/sudo/audit_json.la
    /opt/freeware/libexec/sudo/audit_json.so
    /opt/freeware/libexec/sudo/group_file.la
    /opt/freeware/libexec/sudo/group_file.so
    /opt/freeware/libexec/sudo/libsudo_util.la
    /opt/freeware/libexec/sudo/libsudo_util.so
    /opt/freeware/libexec/sudo/libsudo_util.so.0
    /opt/freeware/libexec/sudo/libsudo_util.so.0.0.0
    /opt/freeware/libexec/sudo/sample_approval.la
    /opt/freeware/libexec/sudo/sample_approval.so
    /opt/freeware/libexec/sudo/sudo_noexec.la
    /opt/freeware/libexec/sudo/sudo_noexec.so
    /opt/freeware/libexec/sudo/sudoers.la
    /opt/freeware/libexec/sudo/sudoers.so
    /opt/freeware/libexec/sudo/system_group.la
    /opt/freeware/libexec/sudo/system_group.so
    /opt/freeware/libexec64/sudo
    /opt/freeware/libexec64/sudo/audit_json.la
    /opt/freeware/libexec64/sudo/audit_json.so
    /opt/freeware/libexec64/sudo/group_file.la
    /opt/freeware/libexec64/sudo/group_file.so
    /opt/freeware/libexec64/sudo/libsudo_util.la
    /opt/freeware/libexec64/sudo/libsudo_util.so
    /opt/freeware/libexec64/sudo/libsudo_util.so.0
    /opt/freeware/libexec64/sudo/libsudo_util.so.0.0.0
    /opt/freeware/libexec64/sudo/sample_approval.la
    /opt/freeware/libexec64/sudo/sample_approval.so
    /opt/freeware/libexec64/sudo/sudo_noexec.la
    /opt/freeware/libexec64/sudo/sudo_noexec.so
    /opt/freeware/libexec64/sudo/sudoers.la
    /opt/freeware/libexec64/sudo/sudoers.so
    /opt/freeware/libexec64/sudo/system_group.la
    /opt/freeware/libexec64/sudo/system_group.so
    /opt/freeware/man/man5/sudo.conf.5
    /opt/freeware/man/man5/sudo_logsrv.proto.5
    /opt/freeware/man/man5/sudo_logsrvd.conf.5
    /opt/freeware/man/man5/sudoers.5
    /opt/freeware/man/man5/sudoers.ldap.5
    /opt/freeware/man/man5/sudoers_timestamp.5
    /opt/freeware/man/man8/sudo.8
    /opt/freeware/man/man8/sudoedit.8
    /opt/freeware/man/man8/sudoreplay.8
    /opt/freeware/man/man8/visudo.8
    /opt/freeware/sbin/visudo
    /opt/freeware/sbin/visudo_32
    /opt/freeware/sbin/visudo_64
    /usr/bin/sudo
    /usr/bin/sudo_32
    /usr/bin/sudo_64
    /usr/bin/sudoedit
    /usr/bin/sudoedit_32
    /usr/bin/sudoedit_64
    /usr/bin/sudoreplay
    /usr/bin/sudoreplay_32
    /usr/bin/sudoreplay_64
    /usr/sbin/visudo
    /usr/sbin/visudo_32
    /usr/sbin/visudo_64
    /var/lib/sudo
    /var/lib/sudo/lectured
    /var/run/sudo

    ------------------------------
    Jan Harris
    ------------------------------



  • 3.  RE: Sudo.rte with vulnerability

    Posted Wed July 28, 2021 12:41 PM
    Thank you Jan. 

    Hi Nag,
    This fileset is not provided by AIX toolbox so we are not sure what all it delivers and what could be conflicts.
    In our opinion if you want to install sudo from AIX toolbox then you may want to remove this sudo.rte fileset to avoid any conflicts.
    sudo from AIX toolbox have multiple dependencies and you will have to install all the dependent packages to make sudo work/install on AIX system.
    sudo for AIX is also provided by sudo community (https://www.sudo.ws/download.html) but we will not be able to answer anything about that.


    ------------------------------
    SANKET RATHI
    ------------------------------