sudo: Privilege escalation via improper get_process_ttyname() parsing

Public Date:
Updated -
Status
Resolved
Impact
Important

Red Hat Product Security has been made aware of a local vulnerability affecting the Linux sudo package that allows for privilege escalation.  The vulnerability has been assigned CVE-2017-1000367. This issue was publicly disclosed on May 30th, 2017 and has been rated as Important

A flaw was found in the way the get_process_ttyname() function obtained information about the controlling terminal of the sudo process from the status file in the /proc filesystem. A local attacker who has any level of sudo access on the system, could use this flaw to execute arbitrary commands as root or in certain conditions escalate his privileges to root.

All sudo packages shipped with Red Hat Enterprise Linux are compiled with SELinux support, and SELinux is enabled by default.

Background Information

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis.

A local user who has any level of sudo access on the system, can use this flaw to run arbitrary commands as root or escalate his privileges to root.

Acknowledgement

Red Hat would like to thank Qualys Security for reporting this flaw.

Successful exploitation of this vulnerability could allow a local attack to escalation privileges and potentially malicious code.

Red Hat Product Security has rated this update as having a security impact of Important.    

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6 
  • Red Hat Enterprise Linux 7

Diagnose your vulnerability

Determine if your system is vulnerable

Use the detection script below to determine if your system is currently vulnerable to this flaw.  To verify the legitimacy of the script, you can download the detached GPG signature as well.  The current version of the script is 1.0.

Take Action

All Red Hat customers running affected products are strongly recommended to update as soon as patches are available. Details about impacted packages are noted below.

Updates for Affected Products

ProductPackageAdvisory/Update
Red Hat Enterprise Linux 7sudoRHSA-2017:1382
Red Hat Enterprise Linux 6sudoRHSA-2017:1382
Red Hat Enterprise Linux 5 ELS*sudo

RHSA-2017:1381

*An active ELS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.

Ansible Playbook

An Ansible  playbook is available to address this issue.  The playbook will update sudo to the latest available version, and will alert you afterward if you still have a vulnerable version of sudo installed.  To run the playbook, list the hosts you wish to update in the HOSTS variable:

# ansible-playbook -e HOSTS=web01,db02 cve-2017-1000367.yml

If after an update, a host is still vulnerable, the play will fail with the message "Vulnerable version still installed".

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

9 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

According to https://www.sudo.ws/alerts/linux_tty.html this sudo vulnerability can only be effective in case the SELinux is enabled. Does this mean only enforcing mode or permissive mode too?

Hi Jaroslav, Our analysis team reviewed this aspect. We can confirm that this issue with sudo would be there independent of using SELinux in either enforcing or permissive mode.

The article has been updated to clearly state that sudo is compiled with SELinux support, and that our default installation has SELinux enabled by default.

Regards, Cliff

Just to verify, if SELinux is in disabled mode, this vulnerability in sudo cannot be exploited?

I am asking because I ran the cve-2017-1000367.sh script on a RHEL6 system with SELinux disabled, and the script said sudo was vulnerable.

Thanks

Andy,

The script checks if sudo is installed and then compares it against the vulnerable versions. It does run a POC or check to see if SELinux is enabled on the system. So in your case you have a version of sudo installed that is considerable to be vulnerable and you should update to protect your systems.

There is no POC check nor is there a check to see if SELinux is enabled on the box in version 1.0 of the cve-2017-1000367.sh script. Version 1.0 is the latest version of the script as of this writing.

Here's what the script does.

basic_args does argument parsing.
basic_reqs checks for the rpm command on the box.
check_supported_kernel checks for the RHEL[5-7].
check_package checks the sudo package version against the list of vulnerable versions.
"main" just checks if sudo is installed, calls the functions in order, and then prints the results.

Is there a later version of the script that hasn't been released?

And, again, is a box vulnerable if SELinux is set to disabled?

Hi, It is our strong recommendation, irrespective of SELinux, to apply the fixed RPM's to systems that you manage.

Regards,

Cliff, I understand the recommendation is to patch. However, can you just reply to the direct question Wayne asked? "Is the box vulnerable if SELinux is disabled". The answer is important to people that maintain large PRODUCTION systems (i.e. to prioritize when the patch gets applied). If we know the boxes are not vulnerable is SELinux is disabled then we can focus first on the boxes with SELinux enabled. Thanks and kind regards Cosmin

Alert description pages states: "Sudo versions affected: Sudo 1.8.6p7 through 1.8.20 inclusive."

But the RH provided "diagnose" script (which can be downloaded [here]https://access.redhat.com/sites/default/files/cve-2017-1000367.sh)) detects as "vulnerable" a much wider range of versions:

VULNERABLE_VERSIONS=(
    'sudo-1.6.8p12-12.el5'
    'sudo-1.6.9p17-3.el5'
    'sudo-1.6.9p17-3.el5_3.1'
    'sudo-1.6.9p17-5.el5'
    'sudo-1.6.9p17-6.el5_4'
    'sudo-1.7.2p1-5.el5'
    'sudo-1.7.2p1-6.el5_5'
    'sudo-1.7.2p1-7.el5_5'
    'sudo-1.7.2p1-8.el5_5'
    'sudo-1.7.2p1-9.el5_5'
    'sudo-1.7.2p1-10.el5'
    'sudo-1.7.2p1-13.el5'
    'sudo-1.7.2p1-14.el5_8'
    'sudo-1.7.2p1-14.el5_8.2'
    'sudo-1.7.2p1-14.el5_8.3'
    'sudo-1.7.2p1-14.el5_8.4'
    'sudo-1.7.2p1-22.el5'
    'sudo-1.7.2p1-22.el5_9.1'
    'sudo-1.7.2p1-28.el5'
    'sudo-1.7.2p1-29.el5_10'
    'sudo-1.7.4p5-5.el6'
    'sudo-1.7.4p5-6.el6_1'
    'sudo-1.7.4p5-7.el6'
    'sudo-1.7.4p5-9.el6_2'
    'sudo-1.7.4p5-11.el6'
    'sudo-1.7.4p5-12.el6_3'
    'sudo-1.7.4p5-13.el6_3'
    'sudo-1.7.4p5-13.el6_3.1'
    'sudo-1.8.6p3-7.el6'
    'sudo-1.8.6p3-12.el6'
    'sudo-1.8.6p3-15.el6'
    'sudo-1.8.6p3-19.el6'
    'sudo-1.8.6p3-20.el6_7'
    'sudo-1.8.6p3-24.el6'
    'sudo-1.8.6p3-25.el6_8'
    'sudo-1.8.6p3-27.el6'
    'sudo-1.8.6p7-11.el7'
    'sudo-1.8.6p7-13.el7'
    'sudo-1.8.6p7-16.el7'
    'sudo-1.8.6p7-17.el7_2'
    'sudo-1.8.6p7-20.el7'
    'sudo-1.8.6p7-21.el7_3'
)

Could someone clarify?

Red Hat does back port bug fixes, features and capabilities and so we cannot depend solely on upstream guidance. https://access.redhat.com/security/updates/backporting

During our code review all newest versions have the impacted code within our packages, including the 1.7 sudo RHEL 5 packages. We recommend to apply the fix to your systems.

Regards,

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.