Bug 1459152 (CVE-2017-1000368)

Summary: CVE-2017-1000368 sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkopecek, jvymazal, kent, kseifried, kzak, mattdm, pkis, rsroka, sardella, slawomir, tosykora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sudo 1.8.20p2 Doc Type: If docs needed, set a value
Doc Text:
It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-27 06:46:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1459407, 1459408, 1459409, 1459410, 1459411    
Bug Blocks: 1458426    

Description Andrej Nemec 2017-06-06 12:26:45 UTC 
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
Comment 1 Andrej Nemec 2017-06-06 12:27:59 UTC 
External References:

https://www.sudo.ws/alerts/linux_tty.html
https://access.redhat.com/security/vulnerabilities/3059071
https://access.redhat.com/security/cve/CVE-2017-1000367
Comment 2 Andrej Nemec 2017-06-06 12:50:22 UTC 
*** Bug 1458425 has been marked as a duplicate of this bug. ***
Comment 3 Huzaifa S. Sidhpurwala 2017-06-07 04:44:19 UTC 
Upstream patch seems to be:

https://www.sudo.ws/repos/sudo/rev/15a46f4007dd
Comment 10 Huzaifa S. Sidhpurwala 2017-06-15 05:35:57 UTC 
Notes about exploitation:

This flaw can lead to executing commands as root, when a root terminal is open on the same machine. Since you actually need a root terminal to be open on the machine the exploit is being run, this is not a straight forward privilege escalation flaw. Therefore this is rated as having Moderate impact.
Comment 11 errata-xmlrpc 2017-06-22 19:41:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1574 https://access.redhat.com/errata/RHSA-2017:1574