FreeBSD : sudo -- certain authorized users could run commands as any user (13d6d997-f455-11dd-8516-001b77d09812)

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Todd Miller reports :

A bug was introduced in Sudo's group matching code in version 1.6.9
when support for matching based on the supplemental group vector was
added. This bug may allow certain users listed in the sudoers file to
run a command as a different user than their access rule specifies.

See also :

http://www.nessus.org/u?bf9ec653
http://www.nessus.org/u?fb732e16

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 35613 (freebsd_pkg_13d6d997f45511dd8516001b77d09812.nasl)

Bugtraq ID: 33517

CVE ID: CVE-2009-0034

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now