916363 – (CVE-2013-1775) CVE-2013-1775 sudo: authentication bypass via reset system clock

Bug 916363 (CVE-2013-1775) - CVE-2013-1775 sudo: authentication bypass via reset system clock

Summary: CVE-2013-1775 sudo: authentication bypass via reset system clock

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-1775
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	916367 968221 1015355
Blocks:	916366 952520 974906
TreeView+	depends on / blocked

Reported:	2013-02-27 22:36 UTC by Vincent Danen
Modified:	2021-02-17 07:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sudo 1.7.10p7, sudo 1.8.6p7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-22 05:31:12 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1353	0	normal	SHIPPED_LIVE	Low: sudo security and bug fix update	2013-10-01 00:31:10 UTC
Red Hat Product Errata	RHSA-2013:1701	0	normal	SHIPPED_LIVE	Low: sudo security, bug fix and enhancement update	2013-11-20 21:52:06 UTC

Description Vincent Danen 2013-02-27 22:36:45 UTC

From the upstream advisory:

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

This affects versions 1.6.0 through up to the fixed 1.7.10p7 version, and sudo 1.8.0 through to the fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/ddf399e3e306

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/ebd6cc75020f


External References:

http://www.sudo.ws/sudo/alerts/epoch_ticket.html

Comment 1 Vincent Danen 2013-02-27 22:47:43 UTC

Created sudo tracking bugs for this issue

Affects: fedora-all [bug 916367]

Comment 5 Fedora Update System 2013-03-16 01:22:20 UTC

sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-03-19 20:04:37 UTC

sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2013-10-01 00:29:27 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html

Comment 17 Huzaifa S. Sidhpurwala 2013-10-01 04:57:39 UTC

This issue has been classified as low security impact, because of the following reasons.

1. A user already needs to have sudo access on the target machine.

2. The user needs to have permission to set system clock on the target machine. This is uncommon and may only be used for some desktop configurations.

3. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker.

Comment 21 errata-xmlrpc 2013-11-21 23:12:25 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1701 https://rhn.redhat.com/errata/RHSA-2013-1701.html

Comment 22 Huzaifa S. Sidhpurwala 2013-11-22 05:31:12 UTC

Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.