Bug 1786708 (CVE-2019-19234)

Summary: CVE-2019-19234 sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dapospis, dkopecek, huzaifas, kzak, mattdm, rsroka, tjaros
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sudo 1.8.30 Doc Type: If docs needed, set a value
Doc Text:
When an account is disabled via the shadow file, by replacing the password hash with "!", it is not considered disabled by sudo. And depending on the configuration, sudo can be run by using such disabled account.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:14:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1786709, 1786989, 1786990, 1796518    
Bug Blocks: 1786710    

Description Dhananjay Arunesh 2019-12-27 11:44:07 UTC 
A vulnerability was found in Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user.

Reference:
https://www.sudo.ws/stable.html#1.8.30
https://www.sudo.ws/devel.html#1.8.30b2
Comment 1 Dhananjay Arunesh 2019-12-27 11:44:30 UTC 
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1786709]
Comment 2 Huzaifa S. Sidhpurwala 2019-12-30 08:01:49 UTC 
Upstream patch: https://www.sudo.ws/repos/sudo/rev/ed6db31729cd
Comment 3 Huzaifa S. Sidhpurwala 2019-12-30 08:06:33 UTC 
Analysis:

Basically in shadow file, when an account is disabled by replacing the hash with "!", it is not considered disabled by sudo. And depending on the configuration, sudo can be run by using such disabled account.

The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users.
Comment 4 Huzaifa S. Sidhpurwala 2019-12-30 08:08:19 UTC 
Statement:

The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users.
Comment 6 Huzaifa S. Sidhpurwala 2020-01-06 09:00:33 UTC 
External References:

https://www.sudo.ws/stable.html#1.8.30
Comment 18 Huzaifa S. Sidhpurwala 2020-02-25 06:55:53 UTC 
Mitigation:

This flaw basically allows users which have disabled account in /etc/shadow (password is replaced with '!) to have sudo access. Systems not having such disabled account, or systems disabling sudo access for such accounts using other means (such as not allowing such users to run sudo via access control mechanisms) are not affected by this flaw.