Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-1776 sudo: bypass of tty_tickets constraints|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||dapospis, dkopecek, huzaifas, kzak|
|Fixed In Version:||sudo 1.8.5, sudo 1.7.10||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-10-01 00:59:23 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||916367, 968221|
|Bug Blocks:||916366, 952520|
Description Vincent Danen 2013-02-27 17:44:01 EST
From the upstream advisory: When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). This time stamp file can either be common to all of a user's terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the "tty_tickets" option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user's sessions. A vulnerability exists because the user can control which terminal the standard input, output and error file descriptors (0-2) refer to. A malicious user could use this to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes). The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy. This affects versions 1.3.5 through up to the fixed 1.7.10p6 version, and sudo 1.8.0 through to the fixed 1.8.7p7. The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/0c0283d1fafa The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/049a12a5cc14 External References: http://www.sudo.ws/sudo/alerts/tty_tickets.html
Comment 1 Vincent Danen 2013-02-27 17:47:57 EST
Created sudo tracking bugs for this issue Affects: fedora-all [bug 916367]
Comment 3 Fedora Update System 2013-03-15 21:22:29 EDT
sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-03-19 16:04:45 EDT
sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2013-04-08 18:43:05 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1776 to the following vulnerability: Name: CVE-2013-1776 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 Assigned: 20130219 Reference: http://www.openwall.com/lists/oss-security/2013/02/27/31 Reference: http://www.sudo.ws/repos/sudo/rev/632f8e028191 Reference: http://www.sudo.ws/repos/sudo/rev/6b22be4d09f0 Reference: http://www.sudo.ws/sudo/alerts/tty_tickets.html Reference: http://www.securityfocus.com/bid/58207 sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. See bug #949751 for CVE-2013-2776 and bug #949753 for CVE-2013-2777
Comment 14 Huzaifa S. Sidhpurwala 2013-09-29 23:46:57 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHBA-2013:0363 https://rhn.redhat.com/errata/RHBA-2013-0363.html
Comment 15 errata-xmlrpc 2013-09-30 20:29:34 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html
Comment 16 Huzaifa S. Sidhpurwala 2013-10-01 00:56:58 EDT
This issue has been classified as low security impact, because of the following reasons. 1. A user already needs to have sudo access on the target machine. 2. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker.
Comment 17 Huzaifa S. Sidhpurwala 2013-10-01 00:59:23 EDT
Comment 18 Tomas Hoger 2013-10-09 17:06:07 EDT
This CVE was assigned to the issue that allowed bypassing tty_tickets restriction by opening another terminal device and connecting it to stdin/stdout/stderr. To address the bypass, sudo was modified to extract tty information from /proc. The fix was implemented in sudo versions 1.8.5 and 1.7.10. However, the fix could still allow fall back to use stdin/stdout/stderr check in certain cases. Another way to bypass that check was discovered later and what CVE-2013-2777 (bug 949753) was assigned to. This issue was already fixed in Red Hat Enterprise Linux 6 packages when they were rebased form 1.7.4p5 to 1.8.6p3 in RHBA-2013:0363 in Red Hat Enterprise Linux 6.4.