Bug 916365 (CVE-2013-1776)
Summary: | CVE-2013-1776 sudo: bypass of tty_tickets constraints | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | dapospis, dkopecek, huzaifas, kzak |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sudo 1.8.5, sudo 1.7.10 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-01 04:59:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 916367, 968221 | ||
Bug Blocks: | 916366, 952520 |
Description
Vincent Danen
2013-02-27 22:44:01 UTC
Created sudo tracking bugs for this issue Affects: fedora-all [bug 916367] sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1776 to the following vulnerability: Name: CVE-2013-1776 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 Assigned: 20130219 Reference: http://www.openwall.com/lists/oss-security/2013/02/27/31 Reference: http://www.sudo.ws/repos/sudo/rev/632f8e028191 Reference: http://www.sudo.ws/repos/sudo/rev/6b22be4d09f0 Reference: http://www.sudo.ws/sudo/alerts/tty_tickets.html Reference: http://www.securityfocus.com/bid/58207 sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. See bug #949751 for CVE-2013-2776 and bug #949753 for CVE-2013-2777 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHBA-2013:0363 https://rhn.redhat.com/errata/RHBA-2013-0363.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html This issue has been classified as low security impact, because of the following reasons. 1. A user already needs to have sudo access on the target machine. 2. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker. Statement: (none) This CVE was assigned to the issue that allowed bypassing tty_tickets restriction by opening another terminal device and connecting it to stdin/stdout/stderr. To address the bypass, sudo was modified to extract tty information from /proc. The fix was implemented in sudo versions 1.8.5 and 1.7.10. However, the fix could still allow fall back to use stdin/stdout/stderr check in certain cases. Another way to bypass that check was discovered later and what CVE-2013-2777 (bug 949753) was assigned to. This issue was already fixed in Red Hat Enterprise Linux 6 packages when they were rebased form 1.7.4p5 to 1.8.6p3 in RHBA-2013:0363 in Red Hat Enterprise Linux 6.4. |