CVE-2023-7090 – Sudo: improper handling of ipa_hostname leads to privilege mismanagement
https://notcve.org/view.php?id=CVE-2023-7090
A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them. Se encontró una falla en sudo en el manejo de ipa_hostname, donde ipa_hostname de /etc/sssd/sssd.conf no se propagó en sudo. Por lo tanto, genera una vulnerabilidad de mala gestión de privilegios en las aplicaciones, donde los hosts de los clientes conservan los privilegios incluso después de retirarlos. • https://access.redhat.com/security/cve/CVE-2023-7090 https://bugzilla.redhat.com/show_bug.cgi?id=2255723 https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html https://security.netapp.com/advisory/ntap-20240208-0001 https://www.sudo.ws/releases/legacy/#1.8.28 • CWE-269: Improper Privilege Management •
CVE-2023-42465 – sudo: Targeted Corruption of Register and Stack Variables
https://notcve.org/view.php?id=CVE-2023-42465
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. Sudo anterior a 1.9.15 podría permitir row hammer attacks (para eludir la autenticación o escalar privilegios) porque la lógica de la aplicación a veces se basa en no igualar un valor de error (en lugar de igualar un valor de éxito) y porque los valores no resisten los cambios de un solo bit. A flaw was found in the sudo package. This issue could allow a local authenticated attacker to cause a bit to flip, which enables fault injection and may authenticate as the root user. • https://arxiv.org/abs/2309.02545 https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_15 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R4Q23NHCKCLFIHSNY6KJ27GM7FSCEVXM https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6XMRUJCPII4MPWG43HTYR76DGLEYEFZ https://security.gentoo.org/glsa/202401-29 https://security.netapp.com/advisory/ntap-20240208-0002 • CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI) •
CVE-2023-42456 – sudo-rs Session File Relative Path Traversal vulnerability
https://notcve.org/view.php?id=CVE-2023-42456
Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user). An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. • http://www.openwall.com/lists/oss-security/2023/11/02/1 https://ferrous-systems.com/blog/sudo-rs-audit https://github.com/memorysafety/sudo-rs/commit/bfdbda22968e3de43fa8246cab1681cfd5d5493d https://github.com/memorysafety/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVE-2023-28487 – sudo: Sudo does not escape control characters in sudoreplay output
https://notcve.org/view.php?id=CVE-2023-28487
Sudo before 1.9.13 does not escape control characters in sudoreplay output. A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where the "sudoreplay -l' command improperly escapes terminal control characters. As sudo's log messages may contain user-controlled strings, this could allow an attacker to inject terminal control commands, leading to a leak of restricted information. • https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13 https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html https://security.gentoo.org/glsa/202309-12 https://security.netapp.com/advisory/ntap-20230420-0002 https://access.redhat.com/security/cve/CVE-2023-28487 https://bugzilla.redhat.com/show_bug.cgi?id=2179273 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVE-2023-28486 – sudo: Sudo does not escape control characters in log messages
https://notcve.org/view.php?id=CVE-2023-28486
Sudo before 1.9.13 does not escape control characters in log messages. A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where sudo improperly escapes terminal control characters during logging operations. As sudo's log messages may contain user-controlled strings, this may allow an attacker to inject terminal control commands, leading to a leak of restricted information. • https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13 https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html https://security.gentoo.org/glsa/202309-12 https://security.netapp.com/advisory/ntap-20230420-0002 https://access.redhat.com/security/cve/CVE-2023-28486 https://bugzilla.redhat.com/show_bug.cgi?id=2179272 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •