sudo: Privilege escalation via improper get_process_ttyname() parsing
Updated -
- Status
- Resolved
- Impact
- Important
Red Hat Product Security has been made aware of a local vulnerability affecting the Linux sudo package that allows for privilege escalation. The vulnerability has been assigned CVE-2017-1000367. This issue was publicly disclosed on May 30th, 2017 and has been rated as Important.
All sudo packages shipped with Red Hat Enterprise Linux are compiled with SELinux support, and SELinux is enabled by default.
Background Information
Acknowledgement
Red Hat would like to thank Qualys Security for reporting this flaw.
Successful exploitation of this vulnerability could allow a local attack to escalation privileges and potentially malicious code.
Red Hat Product Security has rated this update as having a security impact of Important.
Impacted Products
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
Diagnose your vulnerability
Take Action
All Red Hat customers running affected products are strongly recommended to update as soon as patches are available. Details about impacted packages are noted below.
Updates for Affected Products
Product | Package | Advisory/Update |
---|---|---|
Red Hat Enterprise Linux 7 | sudo | RHSA-2017:1382 |
Red Hat Enterprise Linux 6 | sudo | RHSA-2017:1382 |
Red Hat Enterprise Linux 5 ELS* | sudo |
*An active ELS subscription is required for access to this patch.
Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.
Ansible Playbook
An Ansible playbook is available to address this issue. The playbook will update sudo to the latest available version, and will alert you afterward if you still have a vulnerable version of sudo installed. To run the playbook, list the hosts you wish to update in the HOSTS variable:
# ansible-playbook -e HOSTS=web01,db02 cve-2017-1000367.yml
If after an update, a host is still vulnerable, the play will fail with the message "Vulnerable version still installed".
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
9 Comments
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Current Customers and Partners
Log in for full access
Log InNew to Red Hat?
Learn more about Red Hat subscriptions
According to https://www.sudo.ws/alerts/linux_tty.html this sudo vulnerability can only be effective in case the SELinux is enabled. Does this mean only enforcing mode or permissive mode too?
Hi Jaroslav, Our analysis team reviewed this aspect. We can confirm that this issue with sudo would be there independent of using SELinux in either enforcing or permissive mode.
The article has been updated to clearly state that sudo is compiled with SELinux support, and that our default installation has SELinux enabled by default.
Regards, Cliff
Just to verify, if SELinux is in disabled mode, this vulnerability in sudo cannot be exploited?
I am asking because I ran the cve-2017-1000367.sh script on a RHEL6 system with SELinux disabled, and the script said sudo was vulnerable.
Thanks
Andy,
The script checks if sudo is installed and then compares it against the vulnerable versions. It does run a POC or check to see if SELinux is enabled on the system. So in your case you have a version of sudo installed that is considerable to be vulnerable and you should update to protect your systems.
There is no POC check nor is there a check to see if SELinux is enabled on the box in version 1.0 of the cve-2017-1000367.sh script. Version 1.0 is the latest version of the script as of this writing.
Here's what the script does.
Is there a later version of the script that hasn't been released?
And, again, is a box vulnerable if SELinux is set to disabled?
Hi, It is our strong recommendation, irrespective of SELinux, to apply the fixed RPM's to systems that you manage.
Regards,
Cliff, I understand the recommendation is to patch. However, can you just reply to the direct question Wayne asked? "Is the box vulnerable if SELinux is disabled". The answer is important to people that maintain large PRODUCTION systems (i.e. to prioritize when the patch gets applied). If we know the boxes are not vulnerable is SELinux is disabled then we can focus first on the boxes with SELinux enabled. Thanks and kind regards Cosmin
Alert description pages states: "Sudo versions affected: Sudo 1.8.6p7 through 1.8.20 inclusive."
But the RH provided "diagnose" script (which can be downloaded [here]https://access.redhat.com/sites/default/files/cve-2017-1000367.sh)) detects as "vulnerable" a much wider range of versions:
Could someone clarify?
Red Hat does back port bug fixes, features and capabilities and so we cannot depend solely on upstream guidance. https://access.redhat.com/security/updates/backporting
During our code review all newest versions have the impacted code within our packages, including the 1.7 sudo RHEL 5 packages. We recommend to apply the fix to your systems.
Regards,