Bug 1191144 (CVE-2014-9680)
Summary: | CVE-2014-9680 sudo: unsafe handling of TZ environment variable | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, dapospis, dkopecek, fweimer, huzaifas, jwright, kzak, vkaigoro |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sudo 1.8.12, sudo 1.7.10p9 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands.
Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-09 21:03:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1191145, 1200253, 1235570 | ||
Bug Blocks: | 1191147, 1193283 |
Description
Vasyl Kaigorodov
2015-02-10 14:36:21 UTC
Created sudo tracking bugs for this issue: Affects: fedora-all [bug 1191145] According to the upstream: Affected sudo versions are 1.0.0 through 1.7.10p9 and 1.8.0 through 1.8.11p2. Sudo 1.8.12 and above are not affected. sudo-1.8.12-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. sudo-1.8.12-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. External References: http://www.sudo.ws/alerts/tz.html Related upstream commits: https://www.sudo.ws/repos/sudo/rev/650ac6938b59 https://www.sudo.ws/repos/sudo/rev/91859f613b88 https://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 This issue may only be relevant in configurations where: - users are only allowed to run specific commands via sudo, but are not given full shell access as the target user (i.e. is it not relevant where sudo is only used by system administrators to open shell with root privileges after initially logging in using their non-root accounts) - sudo preserves TZ environment variable setting for commands it run - i.e. when it is configured to not reset environment by default (using env_reset), or is configured to keep TZ value even after environment reset (using env_keep) This issue does not affect the default sudo configuration in Red Hat Enterprise Linux 5, 6, and 7. The default configuration performs environment reset and does not keep TZ value. Starting with sudo upstream version 1.6.9, environment handling was changed to reset environment by default: http://www.sudo.ws/repos/sudo/file/dba251655c76/UPGRADE The env_reset was made the default in Fedora even earlier, in response to flaws as CVE-2004-1051, CVE-2005-4158, and CVE-2006-0151: https://lists.fedoraproject.org/pipermail/devel/2006-February/080598.html https://pkgs.fedoraproject.org/cgit/rpms/sudo.git/commit/?id=c5558ce This Fedora change was inherited by Red Hat Enterprise Linux 5 and later. Until upstream versions 1.8.12 and 1.7.10p9, sudo included TZ variable in the env_keep list by default. However, the sudoers configuration in Red Hat Enterprise Linux 5 and later, and Fedora overrides that compiled-in upstream default by not including TZ in env_keep. Hence the default configuration is not affected by this issue. In affected configurations, this issue can be mitigated by ensuring that TZ environment setting is not preserved for commands executed by sudo. In configurations that use env_reset but do not excluded TZ from env_keep (e.g. when env_keep is not used in sudoers at all and compiled-in default list including TZ is used), TZ can be removed from env_keep using sudoers directive: Defaults env_keep -= "TZ" In configurations that do not use env_reset (such as the default configuration in Red Hat Enterprise Linux 4), sudo can be configured to explicitly remote TZ from environment using sudoers directive: Defaults env_delete += "TZ" Where sudo is used to run specific commands without giving full shell access, it it recommended to use env_reset with a carefully selected list of variables to preserve rather than explicitly configure blacklist of variables to unset. Statement: This issue did not affect the default sudo configuration in Red Hat Enterprise Linux 5, 6, and 7. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1409 https://rhn.redhat.com/errata/RHSA-2015-1409.html This issue was fixed in Red Hat Enterprise Linux 7 via RHBA-2015:2424: https://rhn.redhat.com/errata/RHBA-2015-2424.html Released as part of Red Hat Enterprise Linux 7.2. |