sudo: Privilege escalation via improper get_process_ttyname() parsing

Public Date: May 29, 2017, 08:53
Updated June 19, 2017, 17:00 - No translations currently exist.
Resolved Status
Important Impact

Red Hat Product Security has been made aware of a local vulnerability affecting the Linux sudo package that allows for privilege escalation.  The vulnerability has been assigned CVE-2017-1000367. This issue was publicly disclosed on May 30th, 2017 and has been rated as Important

A flaw was found in the way the get_process_ttyname() function obtained information about the controlling terminal of the sudo process from the status file in the /proc filesystem. A local attacker who has any level of sudo access on the system, could use this flaw to execute arbitrary commands as root or in certain conditions escalate his privileges to root.

All sudo packages shipped with Red Hat Enterprise Linux are compiled with SELinux support, and SELinux is enabled by default.

Background Information

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis.

A local user who has any level of sudo access on the system, can use this flaw to run arbitrary commands as root or escalate his privileges to root.

Acknowledgement

Red Hat would like to thank Qualys Security for reporting this flaw.

Successful exploitation of this vulnerability could allow a local attack to escalation privileges and potentially malicious code.

Red Hat Product Security has rated this update as having a security impact of Important.    

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6 
  • Red Hat Enterprise Linux 7

Diagnose your vulnerability

Determine if your system is vulnerable

Use the detection script below to determine if your system is currently vulnerable to this flaw.  To verify the legitimacy of the script, you can download the detached GPG signature as well.  The current version of the script is 1.0.

Download Detection Script

Take Action

All Red Hat customers running affected products are strongly recommended to update as soon as patches are available. Details about impacted packages are noted below.

Updates for Affected Products

ProductPackageAdvisory/Update
Red Hat Enterprise Linux 7sudoRHSA-2017:1382
Red Hat Enterprise Linux 6sudoRHSA-2017:1382
Red Hat Enterprise Linux 5 ELS*sudo

RHSA-2017:1381

*An active ELS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.

Ansible Playbook

An Ansible  playbook is available to address this issue.  The playbook will update sudo to the latest available version, and will alert you afterward if you still have a vulnerable version of sudo installed.  To run the playbook, list the hosts you wish to update in the HOSTS variable:

# ansible-playbook -e HOSTS=web01,db02 cve-2017-1000367.yml

If after an update, a host is still vulnerable, the play will fail with the message "Vulnerable version still installed".

Comments