CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19232 – sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
https://notcve.org/view.php?id=CVE-2019-19232
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions ** EN DISPUTA ** En Sudo hasta 1.8.29, un atacante con acceso a una cuenta de sudoer Runas ALL puede suplantar a un usuario inexistente invocando sudo con un uid numérico que no está asociado con ningún usuario. NOTA: El responsable del software cree que esto no es una vulnerabilidad porque ejecutar un comando a través de sudo como un usuario que no está presente en la base de datos de contraseñas local es una característica intencional. • http://seclists.org/fulldisclosure/2020/Mar/31 https://access.redhat.com/security/cve/cve-2019-19232 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19234 – sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
https://notcve.org/view.php?id=CVE-2019-19234
In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. • https://access.redhat.com/security/cve/cve-2019-19234 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58104 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58473 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58772 https://quickview.cloudapps.cisco.com/quickview& • CWE-284: Improper Access Control •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18684
https://notcve.org/view.php?id=CVE-2019-18684
Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. • https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.0EPSS: 25%CPEs: 47EXPL: 21CVE-2019-14287 – sudo 1.8.27 - Security Bypass
https://notcve.org/view.php?id=CVE-2019-14287
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. En Sudo anteriores a 1.8.28, un atacante con acceso a una cuenta Runas ALL sudoer puede omitir ciertas listas negras de políticas y módulos PAM de sesión, y puede causar un registro incorrecto, mediante la invocación sudo con un ID de usuario creado. Por ejemplo, esto permite la omisión de la configuración root y el registro USER= para un comando "sudo -u \#$((0xffffffff))". • https://www.exploit-db.com/exploits/47502 https://github.com/n0w4n/CVE-2019-14287 https://github.com/shallvhack/Sudo-Security-Bypass-CVE-2019-14287 https://github.com/CMNatic/Dockerized-CVE-2019-14287 https://github.com/axax002/sudo-vulnerability-CVE-2019-14287 https://github.com/N3rdyN3xus/CVE-2019-14287 https://github.com/DewmiApsara/CVE-2019-14287 https://github.com/MariliaMeira/CVE-2019-14287 https://github.com/edsonjt81/CVE-2019-14287- https://github.com/SachinthaDeSilva-cmd& • CWE-267: Privilege Defined With Unsafe Actions CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000368 – sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
https://notcve.org/view.php?id=CVE-2017-1000368
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution. La versión 1.8.20p1 y anteriores de sudo de Todd Miller es vulnerable a una validación de entradas (nuevas líneas embebidas) en la función get_process_ttyname() que da lugar a una revelación de información y la ejecución de comandos. It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. • http://www.securityfocus.com/bid/98838 https://access.redhat.com/errata/RHSA-2017:1574 https://kc.mcafee.com/corporate/index?page=content&id=SB10205 https://security.gentoo.org/glsa/201710-04 https://usn.ubuntu.com/3968-1 https://usn.ubuntu.com/3968-2 https://www.sudo.ws/alerts/linux_tty.html https://access.redhat.com/security/cve/CVE-2017-1000368 https://bugzilla.redhat.com/show_bug.cgi?id=1459152 https://access.redhat.com/security/cve/CVE-2017-1000367 https:& • CWE-20: Improper Input Validation •