RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1788196 - sudo allows privilege escalation with expire password
Summary: sudo allows privilege escalation with expire password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo
Version: 7.8
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Radovan Sroka
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks: 1815164
TreeView+ depends on / blocked
 
Reported: 2020-01-06 16:55 UTC by Carl Thompson
Modified: 2020-09-29 19:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1815164 (view as bug list)
Environment:
Last Closed: 2020-09-29 19:56:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed patch1 (4.94 KB, patch)
2020-03-19 16:50 UTC, Radovan Sroka 		no flags Details | Diff
proposed patch2 (1.12 KB, patch)
2020-03-19 16:50 UTC, Radovan Sroka 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3930 0 None None None 2020-09-29 19:56:50 UTC

Description Carl Thompson 2020-01-06 16:55:58 UTC 
Description of problem:
sudo allows privilege escalation with expired passwords

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Have a user configured for sudo privileges
2. Have user with expired (not locked) password
3. Sudo to elevate privileges.  It will prompt for password but you do not need to change.
4. sudo again and you will be cached and have sudo access without change password

Actual results:
Allows privilege escalation with expired password

Expected results:
Deny privilege escalation until password is changed

Additional info:
upstream fix is in place:  https://bugzilla.sudo.ws/show_bug.cgi?id=910
Comment 2 Huzaifa S. Sidhpurwala 2020-01-29 08:06:54 UTC 
Carl,

Are you able to reproduce this on rhel-8 or fedora. It seems like RHEL/Fedora has a PAM configuration which blocks users with expired passwords from logging, Can you pls confirm?
Comment 3 Carl Thompson 2020-01-30 16:34:58 UTC 
I have not tested this on a RHEL 8 system.  It does not affect RHEL 6 because of code changes between 6 and 7 in sudo.

We ran into this issue when utilizing LDAP.  Sudo privileges configured locally.  The sudo caches the expired password as valid and prompts for a password change.  However, if you cancel out of password change dialog and simply run sudo again the cached validation of the expired password is enough to allow escalation, not prompting for password change again.
Comment 6 Huzaifa S. Sidhpurwala 2020-02-05 05:29:00 UTC 
(In reply to Carl Thompson from comment #3)
> I have not tested this on a RHEL 8 system.  It does not affect RHEL 6
> because of code changes between 6 and 7 in sudo.
> 
> We ran into this issue when utilizing LDAP.  Sudo privileges configured
> locally.  The sudo caches the expired password as valid and prompts for a
> password change.  However, if you cancel out of password change dialog and
> simply run sudo again the cached validation of the expired password is
> enough to allow escalation, not prompting for password change again.

It seems like this issue was introduced via cab448ac8633 which was released via sudo-1.8.23, so rhel-7/8 may be affected. We are still trying to reproduce this issue here.
Comment 8 Huzaifa S. Sidhpurwala 2020-02-07 04:40:03 UTC 
(In reply to Carl Thompson from comment #3)
> I have not tested this on a RHEL 8 system.  It does not affect RHEL 6
> because of code changes between 6 and 7 in sudo.
> 
> We ran into this issue when utilizing LDAP.  Sudo privileges configured
> locally.  The sudo caches the expired password as valid and prompts for a
> password change.  However, if you cancel out of password change dialog and
> simply run sudo again the cached validation of the expired password is
> enough to allow escalation, not prompting for password change again.

Hi Carl,

We tested this on rhel-6/7/8 and we could not reproduce this on any of the platforms with standard PAM configuration shipped with stock RHEL. It seems that though the bug may exist in sudo, the PAM configurations shipped with RHEL stop the flaw from manifesting. Could you share your configurations you use (PAM etc) so that we can try to reproduce this at our end?

Thanks!
Comment 9 Carl Thompson 2020-02-17 15:20:56 UTC 
I know we have seen this in our systems here.  As soon as I get a chance I will setup a complete environment that is easy for you to duplicate with instructions on how I have it setup to attempt to duplicate this.

I will be utilizing FreeIPA for LDAP and test against RHEL 6/7/8
Comment 11 Radovan Sroka 2020-03-19 16:50:01 UTC 
Created attachment 1671514 [details]
proposed patch1
Comment 12 Radovan Sroka 2020-03-19 16:50:41 UTC 
Created attachment 1671515 [details]
proposed patch2
Comment 19 errata-xmlrpc 2020-09-29 19:56:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sudo bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3930
Note You need to log in before you can comment on or make changes to this bug.