Bug 1191144 (CVE-2014-9680) - CVE-2014-9680 sudo: unsafe handling of TZ environment variable
Summary: CVE-2014-9680 sudo: unsafe handling of TZ environment variable
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9680
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1191145 1200253 1235570
Blocks: 1191147 1193283
TreeView+ depends on / blocked
 
Reported: 2015-02-10 14:36 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:39 UTC (History)
8 users (show)

Fixed In Version: sudo 1.8.12, sudo 1.7.10p9
Doc Type: Bug Fix
Doc Text:
It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed.
Clone Of:
Environment:
Last Closed: 2016-03-09 21:03:07 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1375223 0 None None None Never
Red Hat Product Errata RHSA-2015:1409 0 normal SHIPPED_LIVE Moderate: sudo security, bug fix, and enhancement update 2015-07-20 18:06:58 UTC

Description Vasyl Kaigorodov 2015-02-10 14:36:21 UTC
sudo 1.8.12 will be released shortly [1] which includes sanity checks for the TZ environment variable.

This issue was previously discussed here:
    http://www.openwall.com/lists/oss-security/2014/10/15/24

There is an associated Debian bug:
    https://bugs.debian.org/772707
    From http://www.sudo.ws/alerts/tz.html


Summary:

Prior to sudo 1.8.12, the TZ environment variable was passed through
unchecked.  Most libc tzset() implementations support passing an
absolute pathname in the time zone to point to an arbitrary,
user-controlled file.  This may be used to exploit bugs in the C
library's TZ parser or open files the user would not otherwise have
access to.  Arbitrary file access via TZ could also be used in a
denial of service attack by reading from a file or fifo that will
block.

Beginning with sudo 1.8.12, TZ is only passed through by default
if it is considered "safe".  The TZ variable is now considered
"unsafe" if any of the following are true:

    o   It consists of a fully-qualified path name that
        does not match the location of the zoneinfo directory.

    o   It contains a ".." path element.

    o   It contains white space or non-printable characters.

    o   It is longer than the value of PATH_MAX.

Sudo versions affected:

Sudo versions prior to 1.8.12 are affected.

Details:

Unix systems support a user-specified time zone value stored in the
TZ environment variable.  On many systems, the value of TZ is ignored
for set user ID processes (such as sudo) if it does not pass certain
sanity checks.  However, while the value may be ignored, it is not
actually removed from the environment.  As such, a program run via
sudo will inherit the (possibly malicious) value of TZ.

A user with sudo access may take advantage of this to exploit bugs
in the C library functions which parse the TZ environment variable.
The TZ handling in most C libraries (including GNU libc and the
tzcode used by BSD and others) supports reading arbitrary files.

By setting TZ to a fully-qualified path name, a command run via
sudo may be used to read (but not disclose the contents of) files
that the user would not otherwise be able to open.  This is generally
benign for regular files, but it may be possible to change the
behavior of the system by reading from device special files.  For
instance, it may be possible to hijack the output from a terminal
device file, consume kernel log messages or cause a tape drive to
change position.  It may also be possible to cause a command run
by sudo to hang if TZ is set to the value of a named pipe or a
device special file that blocks on read.

Impact:

A user with sudo access may be able to exploit parsing bugs in the
time zone parsing functions of the system's C library functions.
The user may also be able to read arbitrary files, potentially
causing changes in system behavior when reading certain device
special files or simply causing the program run via sudo to block.

Fix:

The bug is fixed in sudo 1.8.12.

[1]: http://seclists.org/oss-sec/2015/q1/486

Comment 1 Vasyl Kaigorodov 2015-02-10 14:39:09 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1191145]

Comment 2 Vasyl Kaigorodov 2015-02-11 14:36:16 UTC
According to the upstream:

Affected sudo versions are 1.0.0 through 1.7.10p9 and 1.8.0 through 1.8.11p2. Sudo 1.8.12 and above are not affected.

Comment 3 Fedora Update System 2015-02-22 06:04:54 UTC
sudo-1.8.12-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-02-23 23:24:57 UTC
sudo-1.8.12-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Martin Prpič 2015-03-09 11:00:47 UTC
External References:

http://www.sudo.ws/alerts/tz.html

Comment 11 Tomas Hoger 2015-03-12 08:24:34 UTC
This issue may only be relevant in configurations where:

- users are only allowed to run specific commands via sudo, but are not given full shell access as the target user (i.e. is it not relevant where sudo is only used by system administrators to open shell with root privileges after initially logging in using their non-root accounts)
- sudo preserves TZ environment variable setting for commands it run - i.e. when it is configured to not reset environment by default (using env_reset), or is configured to keep TZ value even after environment reset (using env_keep)

This issue does not affect the default sudo configuration in Red Hat Enterprise Linux 5, 6, and 7.  The default configuration performs environment reset and does not keep TZ value.

Starting with sudo upstream version 1.6.9, environment handling was changed to reset environment by default:

http://www.sudo.ws/repos/sudo/file/dba251655c76/UPGRADE

The env_reset was made the default in Fedora even earlier, in response to flaws as CVE-2004-1051, CVE-2005-4158, and CVE-2006-0151:

https://lists.fedoraproject.org/pipermail/devel/2006-February/080598.html
https://pkgs.fedoraproject.org/cgit/rpms/sudo.git/commit/?id=c5558ce

This Fedora change was inherited by Red Hat Enterprise Linux 5 and later.

Until upstream versions 1.8.12 and 1.7.10p9, sudo included TZ variable in the env_keep list by default.  However, the sudoers configuration in Red Hat Enterprise Linux 5 and later, and Fedora overrides that compiled-in upstream default by not including TZ in env_keep.  Hence the default configuration is not affected by this issue.

In affected configurations, this issue can be mitigated by ensuring that TZ environment setting is not preserved for commands executed by sudo.

In configurations that use env_reset but do not excluded TZ from env_keep (e.g. when env_keep is not used in sudoers at all and compiled-in default list including TZ is used), TZ can be removed from env_keep using sudoers directive:

  Defaults env_keep -= "TZ"

In configurations that do not use env_reset (such as the default configuration in Red Hat Enterprise Linux 4), sudo can be configured to explicitly remote TZ from environment using sudoers directive:

  Defaults env_delete += "TZ"

Where sudo is used to run specific commands without giving full shell access, it it recommended to use env_reset with a carefully selected list of variables to preserve rather than explicitly configure blacklist of variables to unset.

Comment 12 Tomas Hoger 2015-03-12 08:27:10 UTC
Statement:

This issue did not affect the default sudo configuration in Red Hat Enterprise Linux 5, 6, and 7.

Comment 17 errata-xmlrpc 2015-07-22 07:36:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1409 https://rhn.redhat.com/errata/RHSA-2015-1409.html

Comment 19 Tomas Hoger 2016-03-09 21:03:07 UTC
This issue was fixed in Red Hat Enterprise Linux 7 via RHBA-2015:2424:

https://rhn.redhat.com/errata/RHBA-2015-2424.html

Released as part of Red Hat Enterprise Linux 7.2.


Note You need to log in before you can comment on or make changes to this bug.