Detections
Analytics

MiracleLinux 4 : sudo-1.8.6p3-12.AXS4 (AXSA:2014-027:01)

critical Nessus Plugin ID 289423

Synopsis

The remote MiracleLinux host is missing one or more security updates.

Description

The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2014-027:01 advisory.

 Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per- command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines.
 Security issues fixed with this release:
 CVE-2013-1775 sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically-proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.
 CVE-2013-2776 udo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal. NOTE:
 this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.
 CVE-2013-2777 sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.
 Fixed bugs:
 sudo now supports netgroup filtering for sources from the SSSD. Previously, SSSD rules applied to all users, even those not part of the specified netgroup. They now only apply to users belonging to the specified netgroup.
 Previously, if both the soft (current) and hard (maximum) values of RLIMIT_NPROC were not limited, sudo would reset them to the parent's value of these limits. This has been fixed and RLIMIT_NPROC can now really be set to unlimited.
 Restored the previous behaviour of sudo and the name of the user running the sudo command is now logged again, instead of root.
 Fixed an error in a loop condition that sometimes triggered a buffer overflow.
 Enhancements:
 sudo now sends debug messages about netgroup matching to the debug log.
 sudo now accepts the ipa_hostname value from the /etc/sssd/sssd.conf configuration file when matching netgroups.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected sudo package.

See Also

https://tsn.miraclelinux.com/en/node/4489

Plugin Details

Severity: Critical

ID: 289423

File Name: miracle_linux_AXSA-2014-027.nasl

Version: 1.1

Type: local

Published: 1/16/2026

Updated: 1/16/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 6

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2013-1775

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:miracle:linux:4, p-cpe:/a:miracle:linux:sudo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/18/2014

Vulnerability Publication Date: 2/27/2013

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2013-1775, CVE-2013-2776, CVE-2013-2777