Bug 916363 - (CVE-2013-1775) CVE-2013-1775 sudo: authentication bypass via reset system clock
CVE-2013-1775 sudo: authentication bypass via reset system clock
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130227,reported=2...
: Security
Depends On: 916367 968221 1015355
Blocks: 916366 952520 974906
  Show dependency treegraph
 
Reported: 2013-02-27 17:36 EST by Vincent Danen
Modified: 2013-11-22 00:31 EST (History)
5 users (show)

See Also:
Fixed In Version: sudo 1.7.10p7, sudo 1.8.6p7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-22 00:31:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-02-27 17:36:45 EST
From the upstream advisory:

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

This affects versions 1.6.0 through up to the fixed 1.7.10p7 version, and sudo 1.8.0 through to the fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/ddf399e3e306

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/ebd6cc75020f


External References:

http://www.sudo.ws/sudo/alerts/epoch_ticket.html
Comment 1 Vincent Danen 2013-02-27 17:47:43 EST
Created sudo tracking bugs for this issue

Affects: fedora-all [bug 916367]
Comment 5 Fedora Update System 2013-03-15 21:22:20 EDT
sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-03-19 16:04:37 EDT
sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2013-09-30 20:29:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html
Comment 17 Huzaifa S. Sidhpurwala 2013-10-01 00:57:39 EDT
This issue has been classified as low security impact, because of the following reasons.

1. A user already needs to have sudo access on the target machine.

2. The user needs to have permission to set system clock on the target machine. This is uncommon and may only be used for some desktop configurations.

3. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker.
Comment 21 errata-xmlrpc 2013-11-21 18:12:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1701 https://rhn.redhat.com/errata/RHSA-2013-1701.html
Comment 22 Huzaifa S. Sidhpurwala 2013-11-22 00:31:12 EST
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.