Resolution for CVE-2019-14287, sudo: Privilege escalation via 'Runas' in Red Hat Enterprise Linux

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5 - Out of support scope
  • Red Hat Virtualization 4
  • Red Hat OpenShift Container Platform 4.1
  • Red Hat OpenShift Container Platform 4.2

Issue

  • What is CVE-2019-14287 and impact on RHEL?
  • Is my system affected by CVE-2019-14287?
  • Are there fixes available?

Resolution

  • If a fix is provided through CVE-2019-14287, please update sudo package accordingly.
[root@localhost ~]# yum update sudo -y
  • Fix status as of 13th of November 2019
    Red Hat Enterprise Linux 8 - Fixed with sudo-1.8.25p1-8 via RHSA-2019:3694
    Red Hat Enterprise Linux 7 - Fixed with sudo-1.8.23-4.el7_7.1 via RHSA-2019:3197
    Red Hat Enterprise Linux 7.3 Advanced Update Support - Fixed with sudo-1.8.19p2-12.el7_4.1 via RHSA-2019:3219
    Red Hat Enterprise Linux 7.3 Telco Extended Update Support - Fixed with sudo-1.8.19p2-12.el7_4.1 via RHSA-2019:3219
    Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions - Fixed with sudo-1.8.19p2-12.el7_4.1 via RHSA-2019:3219
    Red Hat Enterprise Linux 7.4 Advanced Update Support - Fixed with sudo-1.8.19p2-12.el7_4.1 via RHSA-2019:3209
    Red Hat Enterprise Linux 7.4 Telco Extended Update Support - Fixed with sudo-1.8.19p2-12.el7_4.1 via RHSA-2019:3209
    Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions - Fixed with sudo-1.8.19p2-12.el7_4.1 via RHSA-2019:3209
    Red Hat Enterprise Linux 7.5 Extended Update Support - Fixed with sudo-1.8.19p2-14.el7_5.1 via RHSA-2019:3204
    Red Hat Enterprise Linux 7.6 Extended Update Support - Fixed with sudo-1.8.23-3.el7_6.1 via RHSA-2019:3205
    Red Hat Enterprise Linux 6 - Fixed with sudo-1.8.6p3-29 via RHSA-2019:3755
    Red Hat Enterprise Linux 6.6 Advanced Update Support - Fixed with sudo-1.8.6p3-15 via RHSA-2019:3754
    Red Hat Enterprise Linux 5 - Out of support scope
    Red Hat Virtualization 4 - RHBA-2019:3248
    Red Hat OpenShift Container Platform 4.1 - Not released yet
    Red Hat OpenShift Container Platform 4.2 - Not released yet
  • If no fix is available for the version of software you are running, please review your sudoers configuration to ensure they are not affected by this vulnerability. Please see the diagnosis step for more information.

Root Cause

A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.

This flaw only affects configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:

bob myhost = (ALL, !root) /usr/bin/vi

This configuration allows user bob to run vi command as any other user except root. However, this flaw also allows bob to run the vi command as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.

Any other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user) are NOT affected by this flaw.

Diagnostic Steps

The exclusion is specified using an excalamation mark (!). In this example, the "root" user is specified by name.

someuser ALL=(ALL, !root) /usr/bin/somecommand

The root user may also be identified in other ways, such as by user id:

someuser ALL=(ALL, !#0) /usr/bin/somecommand

or by reference to a runas alias:

Runas_Alias MYGROUP = root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand

To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the ! character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments