Bug 1786704 (CVE-2019-19232)

Summary: CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akjain, dapospis, dkopecek, kzak, mattdm, rsroka, tjaros, tosykora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sudo 1.8.30 Doc Type: If docs needed, set a value
Doc Text:
It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how applications are configured, could lead to certain restriction bypass. This is now explicitly disabled. A new setting called "allow_unknown_runas_id" was introduced in order to enable this.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:35:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1786705, 1786986, 1786987    
Bug Blocks: 1786710    

Description Dhananjay Arunesh 2019-12-27 11:30:45 UTC 
A vulnerability was found in Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.

Reference:
https://www.sudo.ws/stable.html#1.8.30
https://www.sudo.ws/devel.html#1.8.30b2
Comment 1 Dhananjay Arunesh 2019-12-27 11:31:09 UTC 
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1786705]
Comment 2 Huzaifa S. Sidhpurwala 2019-12-30 07:45:29 UTC 
Upstream patch: https://www.sudo.ws/repos/sudo/rev/ebdbb5c7f60b
Comment 3 Huzaifa S. Sidhpurwala 2019-12-30 07:59:11 UTC 
Analysis:

sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. Which basically means that if the sudoers allowed, the particular binary could be run with a user id or group id which is non-existent.

This would allow users to impersonate non-existing users and could be used to bypass certain application restrictions.

This was fixed by introducing a new setting called "allow_unknown_runas_id" to control matching of unknown IDs.
Comment 5 Huzaifa S. Sidhpurwala 2020-01-06 08:54:23 UTC 
Statement:

A new setting variable called "allow_unknown_runas_id" was introduced which would explicitly allow sudo to run applications with unknown user or group ids (Provided sudo was configured that way, for example via the runas parameter etc).
Comment 6 Huzaifa S. Sidhpurwala 2020-01-06 08:54:25 UTC 
External References:

https://www.sudo.ws/stable.html#1.8.30
Comment 8 Huzaifa S. Sidhpurwala 2020-02-25 06:59:52 UTC 
Mitigation:

This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root. Any other configuration of sudo is not affected by this flaw.
Comment 9 errata-xmlrpc 2020-04-28 15:54:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1804 https://access.redhat.com/errata/RHSA-2020:1804
Comment 10 Product Security DevOps Team 2020-04-28 16:35:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19232