sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

The remote NewStart CGSL host, running version MAIN 6.02, has sudo packages installed that are affected by multiple vulnerabilities:

  - A certain Fedora patch for parse.c in sudo before 1.7.4p5-1.fc14 on Fedora 14 does not properly interpret     a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to     that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a     sudo command. NOTE: this vulnerability exists because of a CVE-2009-0034 regression. (CVE-2011-0008)

  - check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for     command execution that involves a gid change but no uid change, which allows local users to bypass an     intended authentication requirement via the -g option to a sudo command. (CVE-2011-0010)

  - Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to     execute arbitrary code via format string sequences in the program name for sudo. (CVE-2012-0809)

  - sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations     that use a netmask syntax, which allows local users to bypass intended command restrictions in     opportunistic circumstances by executing a command on a host that has an IPv4 address. (CVE-2012-2337)

  - sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate     attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting     the system clock and sudo user timestamp to the epoch. (CVE-2013-1775)

  - sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not     properly validate the controlling terminal device, which allows local users with sudo permissions to     hijack the authorization of another terminal via vectors related to connecting to the standard input,     output, and error file descriptors of another terminal. NOTE: this is one of three closely-related     vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different     affected versions. (CVE-2013-1776)

  - sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file,     which allows local users to open arbitrary files for read access (but not view file contents) by running a     program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log     messages, or repositioning tape drives. (CVE-2014-9680)

  - sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose     full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by /home/*/*/file.txt.
    (CVE-2015-5602)

  - sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run     via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to     run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary     commands with elevated privileges. (CVE-2016-7076)

  - Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in     the get_process_ttyname() function resulting in information disclosure and command execution.
    (CVE-2017-1000367)

  - ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can     impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.
    NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo     as a user not present in the local password database is an intentional feature. Because this behavior     surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default     being disabled. However, this does not change the fact that sudo was behaving as intended, and as     documented, in earlier versions. (CVE-2019-19232)

  - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which     allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single     backslash character. (CVE-2021-3156)

  - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is     exploitable by any local user who can execute the sudo command without authentication. Successful     exploitation of this flaw could lead to privilege escalation.  (CVE-2021-3156)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201606-13 (sudo: Unauthorized privilege escalation in sudoedit)

    sudoedit in sudo is vulnerable to the escalation of privileges by local       users via a symlink attack.  This can be exploited by a file whose full       path is defined using multiple wildcards in &ldquo;/etc/sudoers&rdquo;, as       demonstrated by &ldquo;/home/*/*/file.txt&rdquo;.
  Impact :

    Local users are able to gain unauthorized privileges on the system.
  Workaround :

    There is no known work around at this time.

sudo-1.8.15-1.fc21 - update to 1.8.15 - fixes CVE-2015-5602 sudo-1.8.15-1.fc22 - update to 1.8.15 - fixes CVE-2015-5602 sudo-1.8.15-1.fc23 - update to 1.8.15 - fixes CVE-2015-5602

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MITRE reports :

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by '/home/*/*/file.txt.'

When sudo is configured to allow a user to edit files under a directory that they can already write to without using sudo, they can actually edit (read and write) arbitrary files. Daniel Svartman reported that a configuration like this might be introduced unintentionally if the editable files are specified using wildcards, for example :

operator ALL=(root) sudoedit /home/*/*/test.txt

The default behaviour of sudo has been changed so that it does not allow editing of a file in a directory that the user can write to, or that is reached by following a symlink in a directory that the user can write to. These restrictions can be disabled, but this is strongly discouraged.

When sudo is configured to allow a user to edit files under a directory that they can already write to without using sudo, they can actually edit (read and write) arbitrary files. Daniel Svartman reported that a configuration like this might be introduced unintentionally if the editable files are specified using wildcards, for example :

operator ALL=(root) sudoedit /home/*/*/test.txt

The default behaviour of sudo has been changed so that it does not allow editing of a file in a directory that the user can write to, or that is reached by following a symlink in a directory that the user can write to. These restrictions can be disabled, but this is strongly discouraged.

For the oldoldstable distribution (squeeze), this has been fixed in version 1.7.4p4-2.squeeze.6.

For the oldstable distribution (wheezy) and the stable distribution (jessie), this will be fixed soon.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
154540	NewStart CGSL MAIN 6.02 : sudo Multiple Vulnerabilities (NS-SA-2021-0120)	Nessus	NewStart CGSL Local Security Checks	high
91844	GLSA-201606-13 : sudo: Unauthorized privilege escalation in sudoedit	Nessus	Gentoo Local Security Checks	high
89266	Fedora 22 : sudo-1.8.15-1.fc22 (2015-6a267387c0)	Nessus	Fedora Local Security Checks	high
89210	Fedora 23 : sudo-1.8.15-1.fc23 (2015-386863df8a)	Nessus	Fedora Local Security Checks	high
88149	FreeBSD : sudo -- potential privilege escalation via symlink misconfiguration (2e8cdd36-c3cc-11e5-b5fe-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
87852	Debian DSA-3440-1 : sudo - security update	Nessus	Debian Local Security Checks	high
87826	Debian DLA-382-1 : sudo security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2015-5602

critical

Tenable Plugins

high

high

high

high

high

high

high