A vulnerability was found in Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. Reference: https://www.sudo.ws/stable.html#1.8.30 https://www.sudo.ws/devel.html#1.8.30b2
Created sudo tracking bugs for this issue: Affects: fedora-all [bug 1786705]
Upstream patch: https://www.sudo.ws/repos/sudo/rev/ebdbb5c7f60b
Analysis: sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. Which basically means that if the sudoers allowed, the particular binary could be run with a user id or group id which is non-existent. This would allow users to impersonate non-existing users and could be used to bypass certain application restrictions. This was fixed by introducing a new setting called "allow_unknown_runas_id" to control matching of unknown IDs.
Statement: A new setting variable called "allow_unknown_runas_id" was introduced which would explicitly allow sudo to run applications with unknown user or group ids (Provided sudo was configured that way, for example via the runas parameter etc).
External References: https://www.sudo.ws/stable.html#1.8.30
Mitigation: This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root. Any other configuration of sudo is not affected by this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1804 https://access.redhat.com/errata/RHSA-2020:1804
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19232