Bug 1786704 (CVE-2019-19232)
Summary: | CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akjain, dapospis, dkopecek, kzak, mattdm, rsroka, tjaros, tosykora |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sudo 1.8.30 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how applications are configured, could lead to certain restriction bypass. This is now explicitly disabled. A new setting called "allow_unknown_runas_id" was introduced in order to enable this.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-28 16:35:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1786705, 1786986, 1786987 | ||
Bug Blocks: | 1786710 |
Description
Dhananjay Arunesh
2019-12-27 11:30:45 UTC
Created sudo tracking bugs for this issue: Affects: fedora-all [bug 1786705] Upstream patch: https://www.sudo.ws/repos/sudo/rev/ebdbb5c7f60b Analysis: sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. Which basically means that if the sudoers allowed, the particular binary could be run with a user id or group id which is non-existent. This would allow users to impersonate non-existing users and could be used to bypass certain application restrictions. This was fixed by introducing a new setting called "allow_unknown_runas_id" to control matching of unknown IDs. Statement: A new setting variable called "allow_unknown_runas_id" was introduced which would explicitly allow sudo to run applications with unknown user or group ids (Provided sudo was configured that way, for example via the runas parameter etc). External References: https://www.sudo.ws/stable.html#1.8.30 Mitigation: This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root. Any other configuration of sudo is not affected by this flaw. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1804 https://access.redhat.com/errata/RHSA-2020:1804 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19232 |