[oss-security] 20141016 Abusing TZ for fun (and little profit)

RHSA-2015:1409

1033158

http://www.sudo.ws/alerts/tz.html

GLSA-201504-02

This update for sudo fixes the following security issues :

  - Fix two security vulnerabilities that allowed users to     bypass sudo's NOEXEC functionality :

  - noexec bypass via system() and popen() [CVE-2016-7032,     bsc#1007766]

  - noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501]

  - Fix unsafe handling of TZ environment variable.
    [CVE-2014-9680, bsc#917806]

Additionally, these non-security fixes are included in the update :

  - Fix 'ignoring time stamp from the future' message after     each boot with !tty_tickets. [bsc#899252]

  - Enable support for SASL-based authentication.
    [bsc#979531]

This update was imported from the SUSE:SLE-12:Update update project.

This update for sudo fixes the following issues :

  - fix two security vulnerabilities that allowed users to     bypass sudo's NOEXEC functionality :

  - noexec bypass via system() and popen() [CVE-2016-7032,     bsc#1007766]

  - noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501]

Sudo was updated to the package from SUSE:SLE-12-SP2:Update, incorporating the following new feature :

  - allow dynamic groups with sudo [fate#318850]

The following bug fixes are included :

  - parse /proc/stat for boottime correctly [boo#899252]

  - enable SASL authentication [boo#979531]

This update for sudo fixes the following security issues :

  - Fix two security vulnerabilities that allowed users to     bypass sudo's NOEXEC functionality :

  - noexec bypass via system() and popen() [CVE-2016-7032,     bsc#1007766]

  - noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501]

  - Fix unsafe handling of TZ environment variable.
    [CVE-2014-9680, bsc#917806] Additionally, these     non-security fixes are included in the update :

  - Fix 'ignoring time stamp from the future' message after     each boot with !tty_tickets. [bsc#899252]

  - Enable support for SASL-based authentication.
    [bsc#979531]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

sudo was updated to fix one security issue.

This security issue was fixed :

  - CVE-2014-9680: Unsafe handling of TZ environment     variable (bsc#917806).

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.5. The installed version is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185)
 - apache_mod_php (CVE-2015-2783, CVE-2015-2787, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148)
 - Apple ID OD Plug-in (CVE-2015-3799)
 - AppleGraphicsControl (CVE-2015-5768)
 - Bluetooth (CVE-2015-3777, CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787)
 - bootp (CVE-2015-3778)
 - CloudKit (CVE-2015-3782)
 - CoreMedia Playback (CVE-2015-5777, CVE-2015-5778)
 - CoreText (CVE-2015-5761, CVE-2015-5755)
 - curl (CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150, CVE-2014-8151, CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153)
 - Data Detectors Engine (CVE-2015-5750)
 - Date & Time pref pane (CVE-2015-3757)
 - Dictionary Application (CVE-2015-3774)
 - DiskImages (CVE-2015-3800)
 - dyld (CVE-2015-3760)
 - FontParser (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
 - groff (CVE-2009-5044, CVE-2009-5078)
 - ImageIO (CVE-2015-5758, CVE-2015-5781, CVE-2015-5782)
 - Install Framework Legacy (CVE-2015-5784, CVE-2015-5754)
 - IOFireWireFamily (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
 - IOGraphics (CVE-2015-3770, CVE-2015-5783)
 - IOHIDFamily (CVE-2015-5774)
 - Kernel (CVE-2015-3766, CVE-2015-3768, CVE-2015-5747, CVE-2015-5748, CVE-2015-3806, CVE-2015-3803, CVE-2015-3802, CVE-2015-3805, CVE-2015-3776, CVE-2015-3761)
 - Libc (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
 - Libinfo (CVE-2015-5776)
 - libpthread (CVE-2015-5757)
 - libxml2 (CVE-2014-0191, CVE-2014-3660, CVE-2015-3807)
 - libxpc (CVE-2015-3795)
 - mail_cmds (CVE-2014-7844)
 - Notification Center OSX (CVE-2015-3764)
 - ntfs (CVE-2015-5763)
 - OpenSSH (CVE-2015-5600)
 - OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792)
 - perl (CVE-2013-7422)
 - PostgreSQL (CVE-2014-0067, CVE-2014-8161, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244)
 - python (CVE-2013-7040, CVE-2013-7338, CVE-2014-1912, CVE-2014-7185, CVE-2014-9365)
 - QL Office (CVE-2015-5773, CVE-2015-3784)
 - Quartz Composer Framework (CVE-2015-5771)
 - Quick Look (CVE-2015-3781)
 - QuickTime 7 (CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
 - SceneKit (CVE-2015-5772, CVE-2015-3783)
 - Security (CVE-2015-3775)
 - SMBClient (CVE-2015-3773)
 - Speech UI (CVE-2015-3794)
 - sudo (CVE-2013-1775, CVE-2013-1776, CVE-2013-2776, CVE-2013-2777, CVE-2014-0106, CVE-2014-9680)
 - tcpdump (CVE-2014-8767, CVE-2014-8769, CVE-2014-9140)
 - Text Formats (CVE-2015-3762)
 - udf (CVE-2015-3767)

 Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple ID OD Plug-in
  - AppleGraphicsControl
  - Bluetooth
  - bootp
  - CloudKit
  - CoreMedia Playback
  - CoreText
  - curl
  - Data Detectors Engine
  - Date & Time pref pane
  - Dictionary Application
  - DiskImages
  - dyld
  - FontParser
  - groff
  - ImageIO
  - Install Framework Legacy
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - Kernel
  - Libc
  - Libinfo
  - libpthread
  - libxml2
  - libxpc
  - mail_cmds
  - Notification Center OSX
  - ntfs
  - OpenSSH
  - OpenSSL
  - perl
  - PostgreSQL
  - python
  - QL Office
  - Quartz Composer Framework
  - Quick Look
  - QuickTime 7
  - SceneKit
  - Security
  - SMBClient
  - Speech UI
  - sudo
  - tcpdump
  - Text Formats
  - udf 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680)

Note: The default sudoers configuration in Scientific Linux 6 removes the TZ variable from the environment in which commands run by sudo are executed.

This update also fixes the following bugs :

  - Previously, the sudo utility child processes could     sometimes become unresponsive because they ignored the     SIGPIPE signal. With this update, SIGPIPE handler is     properly restored in the function that reads passwords     from the user, and the child processes no longer ignore     SIGPIPE. As a result, sudo child processes do not hang     in this situation.

  - Prior to this update, the order in which sudo rules were     processed did not honor the user-defined sudoOrder     attribute. Consequently, sudo rules were processed in an     undefined order even when the user defined the order in     sudoOrder. The implementation of SSSD support in sudo     has been modified to sort the rules according to the     sudoOrder value, and sudo rules are now sorted in the     order defined by the user in sudoOrder.

  - Previously, sudo became unresponsive after the user     issued a command when a sudoers source was mentioned     multiple times in the /etc/nsswitch.conf file. The     problem occurred when nsswitch.conf contained, for     example, the 'sudoers: files sss sss' entry. The sudoers     source processing code has been fixed to correctly     handle multiple instances of the same sudoers source. As     a result, sudo no longer hangs when a sudoers source is     mentioned multiple times in /etc/nsswitch.conf.

In addition, this update adds the following enhancement :

  - The sudo utility now supports I/O logs compressed using     the zlib library. With this update, sudo can generate     zlib compressed I/O logs and also process zlib     compressed I/O logs generated by other versions of sudo     with zlib support.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - RHEL-6.7 erratum

  - modified the authlogicfix patch to fix #1144448

  - fixed a bug in the ldapusermatchfix patch Resolves:
    rhbz#1144448 Resolves: rhbz#1142122

  - RHEL-6.7 erratum

  - fixed the mantypos-ldap.patch Resolves: rhbz#1138267

  - RHEL-6.7 erratum

  - added patch for (CVE-2014-9680)

  - added BuildRequires for tzdata Resolves: rhbz#1200253

  - RHEL-6.7 erratum

  - added zlib-devel build required to enable zlib     compression support

  - fixed two typos in the sudoers.ldap man page

  - fixed a hang when duplicate nss entries are specified in     nsswitch.conf

  - SSSD: implemented sorting of the result entries     according to the sudoOrder attribute

  - LDAP: fixed logic handling the computation of the 'user     matched' flag

  - fixed restoring of the SIGPIPE signal in the tgetpass     function

  - fixed listpw, verifypw + authenticate option logic in     LDAP/SSSD Resolves: rhbz#1106433 Resolves: rhbz#1138267     Resolves: rhbz#1147498 Resolves: rhbz#1138581 Resolves:
    rhbz#1142122 Resolves: rhbz#1094548 Resolves:
    rhbz#1144448

  - RHEL-6.6 erratum

  - SSSD: dropped the ipahostnameshort patch, as it is not     needed. rhbz#1033703 is a configuration issue. Related:
    rhbz#1033703

  - RHEL-6.6 erratum

  - SSSD: fixed netgroup filter patch

  - SSSD: dropped serparate patch for #1006463, the fix is     now part of the netgroup filter patch Resolves:
    rhbz#1006463 Resolves: rhbz#1083064

  - RHEL-6.6 erratum

  - don't retry authentication when ctrl-c pressed

  - fix double-quote processing in Defaults options

  - fix sesh login shell argv[0]

  - handle the '(none)' hostname correctly

  - SSSD: fix ipa_hostname handling

  - SSSD: fix sudoUser netgroup specification filtering

  - SSSD: list correct user when -U <user> -l specified

  - SSSD: show rule names on long listing (-ll) Resolves:
    rhbz#1065415 Resolves: rhbz#1078338 Resolves:
    rhbz#1052940 Resolves: rhbz#1083064 Resolves:
    rhbz#1033703 Resolves: rhbz#1006447 Resolves:
    rhbz#1006463 Resolves: rhbz#1070952

From Red Hat Security Advisory 2015:1409 :

Updated sudo packages that fix one security issue, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680)

Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed.

This update also fixes the following bugs :

* Previously, the sudo utility child processes could sometimes become unresponsive because they ignored the SIGPIPE signal. With this update, SIGPIPE handler is properly restored in the function that reads passwords from the user, and the child processes no longer ignore SIGPIPE. As a result, sudo child processes do not hang in this situation. (BZ#1094548)

* Prior to this update, the order in which sudo rules were processed did not honor the user-defined sudoOrder attribute. Consequently, sudo rules were processed in an undefined order even when the user defined the order in sudoOrder. The implementation of SSSD support in sudo has been modified to sort the rules according to the sudoOrder value, and sudo rules are now sorted in the order defined by the user in sudoOrder. (BZ#1138581)

* Previously, sudo became unresponsive after the user issued a command when a sudoers source was mentioned multiple times in the /etc/nsswitch.conf file. The problem occurred when nsswitch.conf contained, for example, the 'sudoers: files sss sss' entry. The sudoers source processing code has been fixed to correctly handle multiple instances of the same sudoers source. As a result, sudo no longer hangs when a sudoers source is mentioned multiple times in /etc/nsswitch.conf. (BZ#1147498)

In addition, this update adds the following enhancement :

* The sudo utility now supports I/O logs compressed using the zlib library. With this update, sudo can generate zlib compressed I/O logs and also process zlib compressed I/O logs generated by other versions of sudo with zlib support. (BZ#1106433)

All sudo users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.

Updated sudo packages that fix one security issue, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680)

Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed.

This update also fixes the following bugs :

* Previously, the sudo utility child processes could sometimes become unresponsive because they ignored the SIGPIPE signal. With this update, SIGPIPE handler is properly restored in the function that reads passwords from the user, and the child processes no longer ignore SIGPIPE. As a result, sudo child processes do not hang in this situation. (BZ#1094548)

* Prior to this update, the order in which sudo rules were processed did not honor the user-defined sudoOrder attribute. Consequently, sudo rules were processed in an undefined order even when the user defined the order in sudoOrder. The implementation of SSSD support in sudo has been modified to sort the rules according to the sudoOrder value, and sudo rules are now sorted in the order defined by the user in sudoOrder. (BZ#1138581)

* Previously, sudo became unresponsive after the user issued a command when a sudoers source was mentioned multiple times in the /etc/nsswitch.conf file. The problem occurred when nsswitch.conf contained, for example, the 'sudoers: files sss sss' entry. The sudoers source processing code has been fixed to correctly handle multiple instances of the same sudoers source. As a result, sudo no longer hangs when a sudoers source is mentioned multiple times in /etc/nsswitch.conf. (BZ#1147498)

In addition, this update adds the following enhancement :

* The sudo utility now supports I/O logs compressed using the zlib library. With this update, sudo can generate zlib compressed I/O logs and also process zlib compressed I/O logs generated by other versions of sudo with zlib support. (BZ#1106433)

All sudo users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.

This update for sudo provides the following fixes :

Handle TZ environment variable safely. (CVE-2014-9680, bnc#917806)

Do not truncate long commands (131072 or more characters) without any warning. (bnc#901145)

Create log files with ownership set to user and group 'root'.
(bnc#904694)

Close PAM session properly. (bnc#880764)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201504-02 (sudo: Information disclosure)

    sudo does not handle the TZ environment variable properly.
  Impact :

    A local attacker may be able to read arbitrary files or information from       device special files.
  Workaround :

    There is no known workaround at this time.

Updated sudo packages fix security vulnerability :

Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block (CVE-2014-9680).

The sudo package has been updated to version 1.8.12, fixing this issue and several other bugs.

This update fixes the CVEs described below.

CVE-2014-0106

Todd C. Miller reported that if the env_reset option is disabled in the sudoers file, the env_delete option is not correctly applied to environment variables specified on the command line. A malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run.

CVE-2014-9680

Jakub Wilk reported that sudo preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The latter could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block.

For the oldstable distribution (squeeze), these problems have been fixed in version 1.7.4p4-2.squeeze.5.

For the stable distribution (wheezy), they have been fixed in version 1.8.5p2-1+nmu2.

We recommend that you upgrade your sudo packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jakub Wilk and Stephane Chazelas discovered that Sudo incorrectly handled the TZ environment variable. An attacker with Sudo access could possibly use this issue to open arbitrary files, bypassing intended permissions.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- update to 1.8.12

    - fixes CVE-2014-9680

Update to 1.8.11p2

Major upstream changes & fixes :

  - when running a command in the background, sudo will now     forward SIGINFO to the command

    - the passwords in ldap.conf and ldap.secret may now be       encoded in base64.

    - SELinux role changes are now audited. For sudoedit, we       now audit the actual editor being run, instead of just       the sudoedit command.

    - it is now possible to match an environment variable's       value as well as its name using env_keep and env_check

    - new files created via sudoedit as a non-root user now       have the proper group id

    - sudoedit now works correctly in conjunction with       sudo's SELinux RBAC support

    - it is now possible to disable network interface       probing in sudo.conf by changing the value of the       probe_interfaces setting

    - when listing a user's privileges (sudo -l), the       sudoers plugin will now prompt for the user's password       even if the targetpw, rootpw or runaspw options are       set.

    - the new use_netgroups sudoers option can be used to       explicitly enable or disable netgroups support

    - visudo can now export a sudoers file in JSON format       using the new -x flag

Distribution specific changes :

  - added patch to read ldap.conf more closely to nss_ldap

    - require /usr/bin/vi instead of vim-minimal

    - include pam.d/system-auth in PAM session phase from       pam.d/sudo

    - include pam.d/sudo in PAM session phase from       pam.d/sudo-i

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- update to 1.8.12

    - fixes CVE-2014-9680

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jakub Wilk reported that sudo, a program designed to provide limited super user privileges to specific users, preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The later could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block.

New sudo packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

ID	Name	Product	Family	Severity
95556	openSUSE Security Update : sudo (openSUSE-2016-1402)	Nessus	SuSE Local Security Checks	high
95533	openSUSE Security Update : sudo (openSUSE-2016-1381)	Nessus	SuSE Local Security Checks	high
95317	SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2016:2904-1)	Nessus	SuSE Local Security Checks	high
86956	openSUSE Security Update : sudo (openSUSE-2015-687)	Nessus	SuSE Local Security Checks	low
86738	openSUSE Security Update : sudo (openSUSE-2015-703)	Nessus	SuSE Local Security Checks	low
8981	Mac OS X < 10.10.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
85207	Scientific Linux Security Update : sudo on SL6.x i386/x86_64 (20150722)	Nessus	Scientific Linux Local Security Checks	low
85144	OracleVM 3.3 : sudo (OVMSA-2015-0103)	Nessus	OracleVM Local Security Checks	low
85104	Oracle Linux 6 : sudo (ELSA-2015-1409)	Nessus	Oracle Linux Local Security Checks	low
85017	CentOS 6 : sudo (CESA-2015:1409)	Nessus	CentOS Local Security Checks	low
84943	RHEL 6 : sudo (RHSA-2015:1409)	Nessus	Red Hat Local Security Checks	low
83971	SUSE SLED11 / SLES11 Security Update : sudo (SUSE-SU-2015:0985-1)	Nessus	SuSE Local Security Checks	low
82732	GLSA-201504-02 : sudo: Information disclosure	Nessus	Gentoo Local Security Checks	low
82379	Mandriva Linux Security Advisory : sudo (MDVSA-2015:126)	Nessus	Mandriva Local Security Checks	high
82144	Debian DLA-160-1 : sudo security update	Nessus	Debian Local Security Checks	medium
81881	Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : sudo vulnerability (USN-2533-1)	Nessus	Ubuntu Local Security Checks	low
81458	Fedora 20 : sudo-1.8.12-1.fc20 (2015-2247)	Nessus	Fedora Local Security Checks	low
81431	Fedora 21 : sudo-1.8.12-1.fc21 (2015-2281)	Nessus	Fedora Local Security Checks	low
81426	Debian DSA-3167-1 : sudo - security update	Nessus	Debian Local Security Checks	low
81388	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : sudo (SSA:2015-047-03)	Nessus	Slackware Local Security Checks	low

CVE-2014-9680

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins