Bug 628628 (CVE-2010-2956) - CVE-2010-2956 sudo: incorrect handling of RunAs specification with both user and group lists
Summary: CVE-2010-2956 sudo: incorrect handling of RunAs specification with both user ...
Status: CLOSED ERRATA
Alias: CVE-2010-2956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100907,reported=20100827,sou...
Keywords: Security
Depends On: 627976 629053 629054 630957
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-30 14:53 UTC by Jan Lieskovsky
Modified: 2019-06-08 13:05 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-12-22 15:49:20 UTC


Attachments (Terms of Use)
Proposed patch from Todd C. Miller (2.75 KB, patch)
2010-08-30 15:07 UTC, Jan Lieskovsky
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0675 normal SHIPPED_LIVE Important: sudo security update 2010-09-07 12:49:21 UTC

Description Jan Lieskovsky 2010-08-30 14:53:06 UTC
A security flaw was found in the way Sudo performed matching
for user described by a password against the list of members,
allowed to run particular sudo command, when the group option
was specified on the command line. If a local, unprivileged
user was authorized by sudoers file to run their sudo commands
with permissions of a particular group (different to their own),
it could lead to privilege escalation (execution of that sudo
command with permissions of privileged user account (root)).

Acknowledgements:

Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance
for reporting this issue.

Comment 3 Jan Lieskovsky 2010-08-30 15:07:36 UTC
Created attachment 441964 [details]
Proposed patch from Todd C. Miller

Comment 4 Jan Lieskovsky 2010-08-30 15:10:13 UTC
This issue did NOT affect the versions of the sudo package, as shipped
with Red Hat Enterprise Linux 3 and 4, as those sudo versions do not
allow to specify group options on sudo command line.

This issue affects the versions of the sudo package, as shipped with
Red Hat Enterprise Linux 5.

--

This issue affects the versions of the sudo package, as shipped with
Fedora release of 12 and 13.

Comment 10 Jan Lieskovsky 2010-08-31 09:09:20 UTC
The CVE identifier of CVE-2010-2956 has been assigned to this.

Comment 13 Tomas Hoger 2010-08-31 19:20:39 UTC
To extend the description in comment #0 a bit, this problem affects configurations using Runas_Spec with both user and group list specified, such as this example from the sudoers man page:

  dgb    boulder = (operator : operator) /bin/ls

In such configurations, user could run specified command with the privileges of arbitrary user or group using -u and -g command line arguments, sudo only enforce one of the specified user or group matched the list configured in sudoers file.

The description of this feature in the sudoers man page seems somewhat confusing / incomplete:

  If both Runas_Lists are specified, the command may be run with any
  combination of users and groups listed in their respective Runas_Lists.

This does not cover cases where sudo is run with only -u option (command is run with UID of the user in user Runas_List and GID of primary group of the user, that does not need to be listed in group Runas_List), or -g option (command is run with invoking user's UID and only GID is changed).  It may be more clear to mention that any combination of users and groups listed in their respective Runas_Lists can be used as arguments to sudo's -u and -g options.

Comment 16 Jan Lieskovsky 2010-09-07 12:37:24 UTC
Public now via:
  [1] http://seclists.org/fulldisclosure/2010/Sep/89

Comment 17 Tomas Hoger 2010-09-07 12:45:27 UTC
Upstream advisory:
  http://www.sudo.ws/sudo/alerts/runas_group.html

Comment 18 errata-xmlrpc 2010-09-07 12:49:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0675 https://rhn.redhat.com/errata/RHSA-2010-0675.html

Comment 20 Jan Lieskovsky 2010-09-07 13:32:44 UTC
Created sudo tracking bugs for this issue

Affects: fedora-all [bug 630957]


Note You need to log in before you can comment on or make changes to this bug.