Bug 1283635 (CVE-2015-8239) - CVE-2015-8239 sudo: Race condition when checking digests in sudoers
Summary: CVE-2015-8239 sudo: Race condition when checking digests in sudoers
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-8239
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1283636
Blocks: 1283688
TreeView+ depends on / blocked
 
Reported: 2015-11-19 13:36 UTC by Adam Mariš
Modified: 2021-02-17 04:42 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-01-19 13:14:56 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2015-11-19 13:36:46 UTC 
A vulnerability in functionality for adding support of SHA-2 digests along with the command was found. The sudoers plugin performs this digest verification while matching rules, and later independently calls execve() to execute the binary. This results in a race condition if the digest functionality is used as suggested (in fact, the rules are matched before the user is prompted for a password, so there is not negligible time frame to replace the binary from underneath sudo). Versions affected are since 1.8.7.

CVE assignment:

http://seclists.org/oss-sec/2015/q4/327
Comment 1 Adam Mariš 2015-11-19 13:37:25 UTC 
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1283636]
Comment 3 Daniel Kopeček 2015-11-19 14:18:16 UTC 
(In reply to Adam Mariš from comment #2)
> Statement:
> 
> Not vulnerable. This issue did not affect the versions of sudo as
> shipped with Red Hat Enterprise Linux 5, 6 and 7.

Not vulnerable in RHEL 7? What about this one:

https://bugzilla.redhat.com/show_bug.cgi?id=1183818
Comment 4 Adam Mariš 2015-11-19 15:01:40 UTC 
Thanks, I'll update it.
Comment 5 Adam Mariš 2015-11-19 15:08:46 UTC 
Statement:

(none)
Comment 6 Daniel Kopeček 2015-12-07 09:46:36 UTC 
sudo upstream updated the docs:

https://www.sudo.ws/repos/sudo/rev/24a3d9215c64
Comment 7 Tomas Hoger 2016-01-19 13:04:34 UTC 
There are now additional changes applied upstream to make sudo use fexecve where available, so the program is executed using the same file descriptor that was used to read the file for checksumming purposes.

https://www.sudo.ws/repos/sudo/rev/397722cdd7ec
https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195

Note that fexecve documentation explicitly notes that fexecve can only help when file to be executed is in a user writeable directory, but not when the file is also user writeable.

  The idea behind fexecve() is to allow the caller to verify (checksum) the
  contents of an executable before executing it.  Simply opening the file,
  checksumming the contents, and then doing an execve(2) would not suffice,
  since, between the two steps, the filename, or a directory prefix of the
  pathname, could have been exchanged (by, for example, modifying the target
  of a symbolic link).  fexecve() does not mitigate the problem that the
  contents of a file could be changed between the checksumming and the call
  to fexecve(); for that, the solution is to ensure that the permissions on
  the file prevent it from being modified by malicious users.
Comment 8 Tomas Hoger 2016-01-19 13:14:56 UTC 
This is most likely not going to get any "full" fix upstream other than documenting that it's unsafe to execute user writeable programs even if the digest check is performed.
Note You need to log in before you can comment on or make changes to this bug.