Resolution for CVE-2019-14287, sudo: Privilege escalation via 'Runas' in Red Hat Enterprise Linux
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5 - Out of support scope
- Red Hat Virtualization 4
- Red Hat OpenShift Container Platform 4.1
- Red Hat OpenShift Container Platform 4.2
Issue
- What is CVE-2019-14287 and impact on RHEL?
- Is my system affected by CVE-2019-14287?
- Are there fixes available?
Resolution
- If a fix is provided through CVE-2019-14287, please update
sudo
package accordingly.
[root@localhost ~]# yum update sudo -y
- Fix status as of 13th of November 2019
Red Hat Enterprise Linux 8 - Fixed withsudo-1.8.25p1-8
via RHSA-2019:3694
Red Hat Enterprise Linux 7 - Fixed withsudo-1.8.23-4.el7_7.1
via RHSA-2019:3197
Red Hat Enterprise Linux 7.3 Advanced Update Support - Fixed withsudo-1.8.19p2-12.el7_4.1
via RHSA-2019:3219
Red Hat Enterprise Linux 7.3 Telco Extended Update Support - Fixed withsudo-1.8.19p2-12.el7_4.1
via RHSA-2019:3219
Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions - Fixed withsudo-1.8.19p2-12.el7_4.1
via RHSA-2019:3219
Red Hat Enterprise Linux 7.4 Advanced Update Support - Fixed withsudo-1.8.19p2-12.el7_4.1
via RHSA-2019:3209
Red Hat Enterprise Linux 7.4 Telco Extended Update Support - Fixed withsudo-1.8.19p2-12.el7_4.1
via RHSA-2019:3209
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions - Fixed withsudo-1.8.19p2-12.el7_4.1
via RHSA-2019:3209
Red Hat Enterprise Linux 7.5 Extended Update Support - Fixed withsudo-1.8.19p2-14.el7_5.1
via RHSA-2019:3204
Red Hat Enterprise Linux 7.6 Extended Update Support - Fixed withsudo-1.8.23-3.el7_6.1
via RHSA-2019:3205
Red Hat Enterprise Linux 6 - Fixed withsudo-1.8.6p3-29
via RHSA-2019:3755
Red Hat Enterprise Linux 6.6 Advanced Update Support - Fixed withsudo-1.8.6p3-15
via RHSA-2019:3754
Red Hat Enterprise Linux 5 - Out of support scope
Red Hat Virtualization 4 - RHBA-2019:3248
Red Hat OpenShift Container Platform 4.1 - Not released yet
Red Hat OpenShift Container Platform 4.2 - Not released yet - If no fix is available for the version of software you are running, please review your sudoers configuration to ensure they are not affected by this vulnerability. Please see the diagnosis step for more information.
Root Cause
A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.
This flaw only affects configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:
bob myhost = (ALL, !root) /usr/bin/vi
This configuration allows user bob to run vi command as any other user except root. However, this flaw also allows bob to run the vi command as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.
Any other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user) are NOT affected by this flaw.
Diagnostic Steps
The exclusion is specified using an excalamation mark (!). In this example, the "root" user is specified by name.
someuser ALL=(ALL, !root) /usr/bin/somecommand
The root user may also be identified in other ways, such as by user id:
someuser ALL=(ALL, !#0) /usr/bin/somecommand
or by reference to a runas alias:
Runas_Alias MYGROUP = root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the !
character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments