98838

RHSA-2017:1574

https://kc.mcafee.com/corporate/index?page=content&id=SB10205

GLSA-201710-04

USN-3968-1

USN-3968-2

https://www.sudo.ws/alerts/linux_tty.html

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. (CVE-2019-14287)

Further details can be found here:
https://www.sudo.ws/alerts/minus_1_uid.html

A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000367)

It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000368)

The remote NewStart CGSL host, running version MAIN 4.05, has sudo packages installed that are affected by a vulnerability:

  - It was found that the original fix for CVE-2017-1000367     was incomplete. A flaw was found in the way sudo parsed     tty information from the process status file in the proc     filesystem. A local user with privileges to execute     commands via sudo could use this flaw to escalate their     privileges to root. (CVE-2017-1000368)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

USN-3968-1 fixed a vulnerability in Sudo. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details :

It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions.
(CVE-2017-1000368).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the sudo package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that the original fix for CVE-2017-1000367     was incomplete. A flaw was found in the way sudo parsed     tty information from the process status file in the     proc filesystem. A local user with privileges to     execute commands via sudo could use this flaw to     escalate their privileges to root.(CVE-2017-1000368)

  - A flaw was found in the way sudo parsed tty information     from the process status file in the proc filesystem. A     local user with privileges to execute commands via sudo     could use this flaw to escalate their privileges to     root.(CVE-2017-1000367)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Florian Weimer discovered that Sudo incorrectly handled the noexec restriction when used with certain applications. A local attacker could possibly use this issue to bypass configured restrictions and execute arbitrary commands. (CVE-2016-7076)

It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions.
(CVE-2017-1000368).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the sudo package has been released.

An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released.

The remote host is affected by the vulnerability described in GLSA-201710-04 (sudo: Privilege escalation)

    The fix present in app-admin/sudo-1.8.20_p1 (GLSA 201705-15) was       incomplete as it did not address the problem of a command with a newline       in the name.
  Impact :

    A local attacker could execute arbitrary code with root privileges.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of McAfee Web Gateway (MWG) that is affected by multiple security vulnerabilities :

  - A memory corruption flaw exists in unrar before 5.5.5, as used in     Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other     products that allows remote attackers to execute arbitrary code.
    (CVE-2012-6706)

  - A memory corruption flaw exists in Linux Kernel versions 4.11.5     and earlier that allows remote attacks to execute arbitrary code     with elevated privileges.(CVE-2017-1000364)

  - A memory corruption flaw exists in the handling of LD_LIBRARY_PATH     that allows a remote attacker to manipulate the heap/stack that     may lead to arbitrary code execution. This issue only affects GNU     glibc 2.25 and prior. (CVE-2017-1000366)

  - An input validation flaw exists in Todd Miller's sudo version     1.8.20p1 and earlier that results in information disclosure and     arbitrary command execution. (CVE-2017-1000368)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix (CVE-2017-1000368)

  - Fix (CVE-2017-1000367)

An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Security Fix(es) :

* It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)

Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - It was found that the original fix for CVE-2017-1000367     was incomplete. A flaw was found in the way sudo parsed     tty information from the process status file in the     proc filesystem. A local user with privileges to     execute commands via sudo could use this flaw to     escalate their privileges to root. (CVE-2017-1000368)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)

This update for sudo fixes the following issues :

  - A regression in the fix for the CVE-2017-1000368 that     broke sudo with the 'requiretty' flag (bsc#1045986)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

The previous announcement (DLA-970-1) was about a similar security issue (CVE-2017-1000367) which wasn't completely fixed.

For Debian 7 'Wheezy', these problems have been fixed in version 1.8.5p2-1+nmu3+deb7u4.

We recommend that you upgrade your sudo packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for sudo fixes the following security issue :

  - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367,     the Linux process name could also contain a newline,     which could be used to trick sudo to read/write to an     arbitrary open terminal. (bsc#1042146)

Also the following non security bug was fixed :

  - Link the 'system_group' plugin with sudo_util library to     resolve the missing sudo_dso_findsym symbol     (bsc#1034560)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Security Fix(es) :

  - It was found that the original fix for CVE-2017-1000367     was incomplete. A flaw was found in the way sudo parsed     tty information from the process status file in the proc     filesystem. A local user with privileges to execute     commands via sudo could use this flaw to escalate their     privileges to root. (CVE-2017-1000368)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fixes (CVE-2017-1000368) Resolves: rhbz#1459408

An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Security Fix(es) :

* It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)

From Red Hat Security Advisory 2017:1574 :

An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Security Fix(es) :

* It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)

This update for sudo fixes the following issues :

  - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367,     the Linux process name could also contain a newline,     which could be used to trick sudo to read/write to an     arbitrary open terminal. (bsc#1042146) Also the     following non security bug was fixed :

  - Link the 'system_group' plugin with sudo_util library to     resolve the missing sudo_dso_findsym symbol     (bsc#1034560)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for sudo fixes the following security issue :

  - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367,     the Linux process name could also contain a newline,     which could be used to trick sudo to read/write to an     arbitrary open terminal. (bsc#1042146) Also the     following non security bug was fixed :

  - Link the 'system_group' plugin with sudo_util library to     resolve the missing sudo_dso_findsym symbol     (bsc#1034560)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
129851	Amazon Linux 2 : sudo (ALAS-2019-1315)	Nessus	Amazon Linux Local Security Checks	high
127331	NewStart CGSL MAIN 4.05 : sudo Vulnerability (NS-SA-2019-0102)	Nessus	NewStart CGSL Local Security Checks	high
125593	Ubuntu 14.04 LTS : sudo vulnerability (USN-3968-2)	Nessus	Ubuntu Local Security Checks	high
124952	EulerOS Virtualization 3.0.1.0 : sudo (EulerOS-SA-2019-1449)	Nessus	Huawei Local Security Checks	high
124679	Ubuntu 16.04 LTS : sudo vulnerabilities (USN-3968-1)	Nessus	Ubuntu Local Security Checks	high
121703	Photon OS 1.0: Sudo PHSA-2017-0021	Nessus	PhotonOS Local Security Checks	high
111870	Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated)	Nessus	PhotonOS Local Security Checks	high
103722	GLSA-201710-04 : sudo: Privilege escalation	Nessus	Gentoo Local Security Checks	high
102496	McAfee Web Gateway 7.6.x < 7.6.2.15 / 7.7.x < 7.7.2.3 Multiple Vulnerabilities (SB10205)	Nessus	Misc.	critical
102063	OracleVM 3.2 : sudo (OVMSA-2017-0125)	Nessus	OracleVM Local Security Checks	high
101486	Virtuozzo 6 : sudo / sudo-devel (VZLSA-2017-1574)	Nessus	Virtuozzo Local Security Checks	high
101309	EulerOS 2.0 SP2 : sudo (EulerOS-SA-2017-1121)	Nessus	Huawei Local Security Checks	high
101308	EulerOS 2.0 SP1 : sudo (EulerOS-SA-2017-1120)	Nessus	Huawei Local Security Checks	high
101272	Amazon Linux AMI : sudo (ALAS-2017-855)	Nessus	Amazon Linux Local Security Checks	high
101230	SUSE SLES12 Security Update : sudo (SUSE-SU-2017:1778-1)	Nessus	SuSE Local Security Checks	high
101225	SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1771-1)	Nessus	SuSE Local Security Checks	high
101210	Debian DLA-1011-1 : sudo security update	Nessus	Debian Local Security Checks	high
101137	openSUSE Security Update : sudo (openSUSE-2017-744)	Nessus	SuSE Local Security Checks	high
101041	Scientific Linux Security Update : sudo on SL6.x, SL7.x i386/x86_64 (20170623)	Nessus	Scientific Linux Local Security Checks	high
101040	OracleVM 3.3 / 3.4 : sudo (OVMSA-2017-0114)	Nessus	OracleVM Local Security Checks	high
101023	RHEL 6 / 7 : sudo (RHSA-2017:1574)	Nessus	Red Hat Local Security Checks	high
101022	Oracle Linux 6 / 7 : sudo (ELSA-2017-1574)	Nessus	Oracle Linux Local Security Checks	high
101005	CentOS 6 / 7 : sudo (CESA-2017:1574)	Nessus	CentOS Local Security Checks	high
100953	SUSE SLES12 Security Update : sudo (SUSE-SU-2017:1627-1)	Nessus	SuSE Local Security Checks	high
100952	SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1626-1)	Nessus	SuSE Local Security Checks	high

CVE-2017-1000368

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins