Bug 1786704 (CVE-2019-19232) - CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
Summary: CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19232
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1786705 1786986 1786987
Blocks: 1786710
TreeView+ depends on / blocked
 
Reported: 2019-12-27 11:30 UTC by Dhananjay Arunesh
Modified: 2020-04-28 16:35 UTC (History)
8 users (show)

Fixed In Version: sudo 1.8.30
Doc Type: If docs needed, set a value
Doc Text:
It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how applications are configured, could lead to certain restriction bypass. This is now explicitly disabled. A new setting called "allow_unknown_runas_id" was introduced in order to enable this.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:35:11 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1804 None None None 2020-04-28 15:54:31 UTC

Description Dhananjay Arunesh 2019-12-27 11:30:45 UTC
A vulnerability was found in Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.

Reference:
https://www.sudo.ws/stable.html#1.8.30
https://www.sudo.ws/devel.html#1.8.30b2

Comment 1 Dhananjay Arunesh 2019-12-27 11:31:09 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1786705]

Comment 2 Huzaifa S. Sidhpurwala 2019-12-30 07:45:29 UTC
Upstream patch: https://www.sudo.ws/repos/sudo/rev/ebdbb5c7f60b

Comment 3 Huzaifa S. Sidhpurwala 2019-12-30 07:59:11 UTC
Analysis:

sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. Which basically means that if the sudoers allowed, the particular binary could be run with a user id or group id which is non-existent.

This would allow users to impersonate non-existing users and could be used to bypass certain application restrictions.

This was fixed by introducing a new setting called "allow_unknown_runas_id" to control matching of unknown IDs.

Comment 5 Huzaifa S. Sidhpurwala 2020-01-06 08:54:23 UTC
Statement:

A new setting variable called "allow_unknown_runas_id" was introduced which would explicitly allow sudo to run applications with unknown user or group ids (Provided sudo was configured that way, for example via the runas parameter etc).

Comment 6 Huzaifa S. Sidhpurwala 2020-01-06 08:54:25 UTC
External References:

https://www.sudo.ws/stable.html#1.8.30

Comment 8 Huzaifa S. Sidhpurwala 2020-02-25 06:59:52 UTC
Mitigation:

This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root. Any other configuration of sudo is not affected by this flaw.

Comment 9 errata-xmlrpc 2020-04-28 15:54:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1804 https://access.redhat.com/errata/RHSA-2020:1804

Comment 10 Product Security DevOps Team 2020-04-28 16:35:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19232


Note You need to log in before you can comment on or make changes to this bug.