// For flags

CVE-2019-19232

sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions

** EN DISPUTA ** En Sudo hasta 1.8.29, un atacante con acceso a una cuenta de sudoer Runas ALL puede suplantar a un usuario inexistente invocando sudo con un uid numérico que no está asociado con ningún usuario. NOTA: El responsable del software cree que esto no es una vulnerabilidad porque ejecutar un comando a través de sudo como un usuario que no está presente en la base de datos de contraseñas local es una característica intencional. Debido a que este comportamiento sorprendió a algunos usuarios, sudo 1.8.30 introdujo una opción para habilitar / deshabilitar este comportamiento con el valor predeterminado deshabilitado. Sin embargo, esto no cambia el hecho de que sudo se estaba comportando según lo previsto, y según lo documentado, en versiones anteriores.

It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how applications are configured, could lead to certain restriction bypass. This is now explicitly disabled. A new setting called "allow_unknown_runas_id" was introduced in order to enable this.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-11-22 CVE Reserved
  • 2019-12-19 CVE Published
  • 2024-04-13 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
CAPEC
References (20)
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sudo
Search vendor "Sudo"
Sudo
Search vendor "Sudo" for product "Sudo"
<= 1.8.29
Search vendor "Sudo" for product "Sudo" and version " <= 1.8.29"
-
Affected