Bug 1760531 (CVE-2019-14287) - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword
Summary: CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14287
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760695 1760697 1760684 1760686 1760687 1760688 1760689 1760690 1760691 1760692 1760693 1760694 1760696 1761584 1762737 1765368 1765369 1771941 1777346
Blocks: 1760532
TreeView+ depends on / blocked
 
Reported: 2019-10-10 18:19 UTC by Pedro Sampaio
Modified: 2020-02-04 12:54 UTC (History)
49 users (show)

Fixed In Version: sudo 1.8.28
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.
Clone Of:
Environment:
Last Closed: 2019-10-25 00:51:16 UTC


Attachments (Terms of Use)
upstream patch that fixes a test issue (3.26 KB, patch)
2019-10-10 20:45 UTC, Pedro Sampaio
no flags Details | Diff
Upstream fix (4.52 KB, patch)
2019-10-11 13:22 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4502891 None None None 2019-10-16 06:16:58 UTC
Red Hat Product Errata RHBA-2019:3864 None None None 2019-11-13 04:59:42 UTC
Red Hat Product Errata RHSA-2019:3197 None None None 2019-10-24 09:23:09 UTC
Red Hat Product Errata RHSA-2019:3204 None None None 2019-10-24 13:39:17 UTC
Red Hat Product Errata RHSA-2019:3205 None None None 2019-10-24 13:48:48 UTC
Red Hat Product Errata RHSA-2019:3209 None None None 2019-10-28 18:01:44 UTC
Red Hat Product Errata RHSA-2019:3219 None None None 2019-10-29 12:23:43 UTC
Red Hat Product Errata RHSA-2019:3278 None None None 2019-10-31 11:35:26 UTC
Red Hat Product Errata RHSA-2019:3694 None None None 2019-11-05 22:04:41 UTC
Red Hat Product Errata RHSA-2019:3754 None None None 2019-11-06 16:47:17 UTC
Red Hat Product Errata RHSA-2019:3755 None None None 2019-11-06 17:19:58 UTC
Red Hat Product Errata RHSA-2019:3895 None None None 2019-11-18 12:28:09 UTC
Red Hat Product Errata RHSA-2019:3916 None None None 2019-11-19 15:56:41 UTC
Red Hat Product Errata RHSA-2019:3941 None None None 2019-11-21 09:55:37 UTC
Red Hat Product Errata RHSA-2019:4191 None None None 2019-12-10 15:32:34 UTC
Red Hat Product Errata RHSA-2020:0388 None None None 2020-02-04 12:54:38 UTC

Description Pedro Sampaio 2019-10-10 18:19:08 UTC
A flaw was found in sudo before version 1.8.28. When sudo is configured to allow a user to run commands as an arbitrary user via the 'ALL' keyword in a 'Runas' specification, it is possible to run commands as root.

Comment 1 Pedro Sampaio 2019-10-10 18:19:10 UTC
Acknowledgments:

Name: the Sudo project
Upstream: Joe Vennix (Apple Information Security)

Comment 2 Pedro Sampaio 2019-10-10 20:45:32 UTC
Created attachment 1624516 [details]
upstream patch that fixes a test issue

Comment 7 Tomas Hoger 2019-10-11 13:22:09 UTC
Created attachment 1624734 [details]
Upstream fix

Comment 12 Laura Pardo 2019-10-14 19:34:14 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1761584]

Comment 13 Laura Pardo 2019-10-14 19:35:27 UTC
References:
https://www.openwall.com/lists/oss-security/2019/10/14/1

Comment 14 Tomas Hoger 2019-10-14 20:27:32 UTC
External References:

https://www.sudo.ws/alerts/minus_1_uid.html

Comment 15 David Barr 2019-10-15 15:29:58 UTC
POSSIBLE WORKAROUND: Changing the "ALL" user keyword to a specific user or list of users appears to work around the bug. So, changing

```
%group ALL=(ALL) PRIVCMDS, NOPASSWD: PRIVCMDSNOPW
```

to

```
%group ALL=(root) PRIVCMDS, NOPASSWD: PRIVCMDSNOPW
```

will get

```
$ sudo -u#-1 id -u
Sorry, user [USER] is not allowed to execute '/bin/id -u' as #-1 on [FQDN].
```

(Provided `id` isn't in the list of privileged commands, of course.)

I haven't comprehensively tested this workaround, so cases may exist where this doesn't help.

Comment 19 Tomas Hoger 2019-10-15 20:13:47 UTC
(In reply to David Barr from comment #15)
> POSSIBLE WORKAROUND: Changing the "ALL" user keyword to a specific user or
> list of users appears to work around the bug.

There is no workaround needed for your configuration.

> So, changing
> 
> ```
> %group ALL=(ALL) PRIVCMDS, NOPASSWD: PRIVCMDSNOPW
> ```

This configuration already allows members of the specified group to run any of the commands defined in PRIVCMDS and PRIVCMDSNOPW as root, without exploiting this flaw.  They can just run 'sudo -u root', there's no need to use 'sudo -u#-1'.  This flaw does not allow them to run any other command that one of those specified in the configuration.  There's nothing to be gained via this flaw in this configuration that is not already permitted.

This issue is only relevant for configurations where user is allowed to run some command as any user except of root, i.e. configurations as (ALL, !root).  There's no impact for configurations with (ALL), (root), or (some-non-root-user).  Affected configurations do not seem to be very common - most sudo uses would be unaffected by this problem.

Comment 20 Tomas Hoger 2019-10-15 20:24:57 UTC
Affected configurations using (ALL, !root) can be rewritten to explicitly include the list of users the commands can run as.  For example use (user1, user2, user3) to specify that commands can be run as one of those 3 users, instead of anyone but root.  This may not be usable in cases where the list of target users is long or changing frequently.

Comment 31 Doran Moppert 2019-10-16 11:53:55 UTC
Mitigation:

This vulnerability only affects configurations of sudo that have a runas user list that includes an exclusion of root.  The most simple example is:

~~~
someuser ALL=(ALL, !root) /usr/bin/somecommand
~~~

The exclusion is specified using an excalamation mark (!).  In this example, the "root" user is specified by name.  The root user may also be identified in other ways, such as by user id:

~~~
someuser ALL=(ALL, !#0) /usr/bin/somecommand
~~~

or by reference to a runas alias:

~~~
Runas_Alias MYGROUP = root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
~~~

To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions.  These can be found in the /etc/sudoers file or files under /etc/sudoers.d.

Comment 34 Tomas Hoger 2019-10-16 21:44:58 UTC
It does not seem possible to create a simple command to check sudoers configuration if it may or may not be affected.  The reason for that is richness of the sudoers configuration language, that makes it possible to exclude user using multiple ways, such as:

- user name, i.e. !root
- user id, i.e. !#0
- group - name or id, i.e. !%root or !%#0
- defined Runas_Alias

Typical configuration do not use all this complexity and should be easy to review for affectedness.

Comment 40 errata-xmlrpc 2019-10-24 09:23:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3197 https://access.redhat.com/errata/RHSA-2019:3197

Comment 41 errata-xmlrpc 2019-10-24 13:39:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:3204 https://access.redhat.com/errata/RHSA-2019:3204

Comment 42 errata-xmlrpc 2019-10-24 13:48:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3205 https://access.redhat.com/errata/RHSA-2019:3205

Comment 43 Doran Moppert 2019-10-24 23:39:05 UTC
Statement:

This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:

someuser myhost = (ALL, !root) /usr/bin/somecommand

This configuration allows user "someuser" to run somecommand as any other user except root. However, this flaw also allows someuser to run somecommand as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.

Any other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user)  are NOT affected by this flaw.

Red Hat Virtualization Hypervisor includes an affected version of sudo, however the default configuration is not vulnerable to this flaw.

Comment 45 Product Security DevOps Team 2019-10-25 00:51:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14287

Comment 46 errata-xmlrpc 2019-10-28 18:01:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:3209 https://access.redhat.com/errata/RHSA-2019:3209

Comment 47 errata-xmlrpc 2019-10-29 12:23:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:3219 https://access.redhat.com/errata/RHSA-2019:3219

Comment 48 errata-xmlrpc 2019-10-31 11:35:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:3278 https://access.redhat.com/errata/RHSA-2019:3278

Comment 49 errata-xmlrpc 2019-11-05 22:04:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3694 https://access.redhat.com/errata/RHSA-2019:3694

Comment 50 errata-xmlrpc 2019-11-06 16:47:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:3754 https://access.redhat.com/errata/RHSA-2019:3754

Comment 51 errata-xmlrpc 2019-11-06 17:19:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:3755 https://access.redhat.com/errata/RHSA-2019:3755

Comment 56 errata-xmlrpc 2019-11-18 12:28:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:3895 https://access.redhat.com/errata/RHSA-2019:3895

Comment 57 errata-xmlrpc 2019-11-19 15:56:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:3916 https://access.redhat.com/errata/RHSA-2019:3916

Comment 58 errata-xmlrpc 2019-11-21 09:55:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3941 https://access.redhat.com/errata/RHSA-2019:3941

Comment 60 errata-xmlrpc 2019-12-10 15:32:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2019:4191 https://access.redhat.com/errata/RHSA-2019:4191

Comment 62 errata-xmlrpc 2020-02-04 12:54:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0388 https://access.redhat.com/errata/RHSA-2020:0388


Note You need to log in before you can comment on or make changes to this bug.