Bug 916363 (CVE-2013-1775)

Summary: CVE-2013-1775 sudo: authentication bypass via reset system clock
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agunn, dkopecek, jsightle, kzak, stefan.sels
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130227,reported=20130227,source=oss-security,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N,rhel-5/sudo=affected,rhel-6/sudo=affected,fedora-all/sudo=affected
Fixed In Version: sudo 1.7.10p7, sudo 1.8.6p7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-22 00:31:12 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 916367, 968221, 1015355    
Bug Blocks: 916366, 952520, 974906    

Description Vincent Danen 2013-02-27 17:36:45 EST
From the upstream advisory:

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

This affects versions 1.6.0 through up to the fixed 1.7.10p7 version, and sudo 1.8.0 through to the fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/ddf399e3e306

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/ebd6cc75020f


External References:

http://www.sudo.ws/sudo/alerts/epoch_ticket.html
Comment 1 Vincent Danen 2013-02-27 17:47:43 EST
Created sudo tracking bugs for this issue

Affects: fedora-all [bug 916367]
Comment 5 Fedora Update System 2013-03-15 21:22:20 EDT
sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-03-19 16:04:37 EDT
sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2013-09-30 20:29:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html
Comment 17 Huzaifa S. Sidhpurwala 2013-10-01 00:57:39 EDT
This issue has been classified as low security impact, because of the following reasons.

1. A user already needs to have sudo access on the target machine.

2. The user needs to have permission to set system clock on the target machine. This is uncommon and may only be used for some desktop configurations.

3. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker.
Comment 21 errata-xmlrpc 2013-11-21 18:12:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1701 https://rhn.redhat.com/errata/RHSA-2013-1701.html
Comment 22 Huzaifa S. Sidhpurwala 2013-11-22 00:31:12 EST
Statement:

(none)