Bug 916365 (CVE-2013-1776)

Summary: CVE-2013-1776 sudo: bypass of tty_tickets constraints
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dapospis, dkopecek, huzaifas, kzak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130227,reported=20130227,source=oss-security,cvss2=3.6/AV:L/AC:L/Au:N/C:P/I:P/A:N,rhel-5/sudo=affected,rhel-6/sudo=affected,fedora-all/sudo=affected
Fixed In Version: sudo 1.8.5, sudo 1.7.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 00:59:23 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 916367, 968221    
Bug Blocks: 916366, 952520    

Description Vincent Danen 2013-02-27 17:44:01 EST
From the upstream advisory:

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default).
This time stamp file can either be common to all of a user's terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the "tty_tickets" option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user's sessions.

A vulnerability exists because the user can control which terminal the standard input, output and error file descriptors (0-2) refer to. A malicious user could use this to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

This affects versions 1.3.5 through up to the fixed 1.7.10p6 version, and sudo 1.8.0 through to the fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/0c0283d1fafa

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/049a12a5cc14

External References:

Comment 1 Vincent Danen 2013-02-27 17:47:57 EST
Created sudo tracking bugs for this issue

Affects: fedora-all [bug 916367]
Comment 3 Fedora Update System 2013-03-15 21:22:29 EDT
sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-03-19 16:04:45 EDT
sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2013-04-08 18:43:05 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1776 to
the following vulnerability:

Name: CVE-2013-1776
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
Assigned: 20130219
Reference: http://www.openwall.com/lists/oss-security/2013/02/27/31
Reference: http://www.sudo.ws/repos/sudo/rev/632f8e028191
Reference: http://www.sudo.ws/repos/sudo/rev/6b22be4d09f0
Reference: http://www.sudo.ws/sudo/alerts/tty_tickets.html
Reference: http://www.securityfocus.com/bid/58207

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the
tty_tickets option is enabled, does not properly validate the
controlling terminal device, which allows local users with sudo
permissions to hijack the authorization of another terminal via
vectors related to connecting to a standard input, output, and error
file descriptors of another terminal.  NOTE: this is one of three
closely-related vulnerabilities that were originally assigned
CVE-2013-1776, but they have been SPLIT because of different affected

See bug #949751 for CVE-2013-2776 and bug #949753 for CVE-2013-2777
Comment 14 Huzaifa S. Sidhpurwala 2013-09-29 23:46:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHBA-2013:0363 https://rhn.redhat.com/errata/RHBA-2013-0363.html
Comment 15 errata-xmlrpc 2013-09-30 20:29:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html
Comment 16 Huzaifa S. Sidhpurwala 2013-10-01 00:56:58 EDT
This issue has been classified as low security impact, because of the following reasons.

1. A user already needs to have sudo access on the target machine.

2. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker.
Comment 17 Huzaifa S. Sidhpurwala 2013-10-01 00:59:23 EDT

Comment 18 Tomas Hoger 2013-10-09 17:06:07 EDT
This CVE was assigned to the issue that allowed bypassing tty_tickets restriction by opening another terminal device and connecting it to stdin/stdout/stderr.  To address the bypass, sudo was modified to extract tty information from /proc.  The fix was implemented in sudo versions 1.8.5 and 1.7.10.

However, the fix could still allow fall back to use stdin/stdout/stderr check in certain cases.  Another way to bypass that check was discovered later and what CVE-2013-2777 (bug 949753) was assigned to.

This issue was already fixed in Red Hat Enterprise Linux 6 packages when they were rebased form 1.7.4p5 to 1.8.6p3 in RHBA-2013:0363 in Red Hat Enterprise Linux 6.4.