CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19234 – sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
https://notcve.org/view.php?id=CVE-2019-19234
In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. • https://access.redhat.com/security/cve/cve-2019-19234 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58104 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58473 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58772 https://quickview.cloudapps.cisco.com/quickview& • CWE-284: Improper Access Control •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18684
https://notcve.org/view.php?id=CVE-2019-18684
Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. • https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.0EPSS: 25%CPEs: 47EXPL: 21CVE-2019-14287 – sudo 1.8.27 - Security Bypass
https://notcve.org/view.php?id=CVE-2019-14287
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. En Sudo anteriores a 1.8.28, un atacante con acceso a una cuenta Runas ALL sudoer puede omitir ciertas listas negras de políticas y módulos PAM de sesión, y puede causar un registro incorrecto, mediante la invocación sudo con un ID de usuario creado. Por ejemplo, esto permite la omisión de la configuración root y el registro USER= para un comando "sudo -u \#$((0xffffffff))". • https://www.exploit-db.com/exploits/47502 https://github.com/n0w4n/CVE-2019-14287 https://github.com/shallvhack/Sudo-Security-Bypass-CVE-2019-14287 https://github.com/CMNatic/Dockerized-CVE-2019-14287 https://github.com/axax002/sudo-vulnerability-CVE-2019-14287 https://github.com/N3rdyN3xus/CVE-2019-14287 https://github.com/DewmiApsara/CVE-2019-14287 https://github.com/MariliaMeira/CVE-2019-14287 https://github.com/edsonjt81/CVE-2019-14287- https://github.com/SachinthaDeSilva-cmd& • CWE-267: Privilege Defined With Unsafe Actions CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000368 – sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
https://notcve.org/view.php?id=CVE-2017-1000368
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution. La versión 1.8.20p1 y anteriores de sudo de Todd Miller es vulnerable a una validación de entradas (nuevas líneas embebidas) en la función get_process_ttyname() que da lugar a una revelación de información y la ejecución de comandos. It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. • http://www.securityfocus.com/bid/98838 https://access.redhat.com/errata/RHSA-2017:1574 https://kc.mcafee.com/corporate/index?page=content&id=SB10205 https://security.gentoo.org/glsa/201710-04 https://usn.ubuntu.com/3968-1 https://usn.ubuntu.com/3968-2 https://www.sudo.ws/alerts/linux_tty.html https://access.redhat.com/security/cve/CVE-2017-1000368 https://bugzilla.redhat.com/show_bug.cgi?id=1459152 https://access.redhat.com/security/cve/CVE-2017-1000367 https:& • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 6CVE-2017-1000367 – Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000367
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. Un Sudo de Todd Miller’s versión 1.8.20 y anteriores es vulnerable a una validación de entrada (espacios insertados) en la función get_process_ttyname(), resultando en la divulgación de información y la ejecución de comandos. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. • https://www.exploit-db.com/exploits/42183 https://github.com/c0d3z3r0/sudo-CVE-2017-1000367 https://github.com/homjxi0e/CVE-2017-1000367 http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.html http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00079.html http://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.html http://seclists.org/fulldisclosure/2017/Jun/3 http& • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-807: Reliance on Untrusted Inputs in a Security Decision •