// For flags

CVE-2019-19234

sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash

** EN DISPUTA ** En Sudo hasta la versión 1.8.29, no se considera el hecho de que un usuario haya sido bloqueado (por ejemplo, al usar el carácter! En el archivo de sombra en lugar de un hash de contraseña), lo que permite que un atacante (que tiene acceso a una cuenta de sudoer Runas ALL) para suplantar a cualquier usuario bloqueado. NOTA: El responsable del software cree que este CVE no es válido. Deshabilitar la autenticación de contraseña local para un usuario no es lo mismo que deshabilitar todo acceso a ese usuario; el usuario aún puede iniciar sesión por otros medios (clave ssh, kerberos, etc.). Tanto los manuales Linux shadow (5) como passwd (1) son claros al respecto. De hecho, es un caso de uso válido tener cuentas locales a las que solo se puede acceder mediante sudo y que no se pueden iniciar sesión con una contraseña. Sudo 1.8.30 agregó una configuración opcional para verificar el _shell_ del usuario objetivo (¡no la contraseña cifrada!) Contra el contenido de / etc / shells, pero eso no es lo mismo que impedir el acceso a los usuarios con un hash de contraseña no válido.

When an account is disabled via the shadow file, by replacing the password hash with "!", it is not considered disabled by sudo. And depending on the configuration, sudo can be run by using such disabled account.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-11-22 CVE Reserved
  • 2019-12-19 CVE Published
  • 2024-04-13 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
CAPEC
References (21)
URL Tag Source
https://access.redhat.com/security/cve/cve-2019-19234 X_refsource_confirm
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58104 X_refsource_misc
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58473 X_refsource_misc
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58772 X_refsource_misc
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812 X_refsource_misc
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979 X_refsource_misc
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs60748 X_refsource_misc
https://security.netapp.com/advisory/ntap-20200103-0004 X_refsource_confirm
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19234 X_refsource_confirm
https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5505 X_refsource_misc
https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1019-3816 X_refsource_misc
https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html X_refsource_misc
https://www.oracle.com/security-alerts/bulletinapr2020.html X_refsource_confirm
https://www.suse.com/security/cve/CVE-2019-19234 X_refsource_confirm
https://www.tenable.com/plugins/nessus/132985 X_refsource_misc
URL Date SRC
URL Date SRC
URL Date SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F 2024-05-17
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC 2024-05-17
https://www.sudo.ws/devel.html#1.8.30b2 2024-05-17
https://www.sudo.ws/stable.html 2024-05-17
https://access.redhat.com/security/cve/CVE-2019-19234 2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1786708 2020-04-28
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sudo
Search vendor "Sudo"
 Sudo
Search vendor "Sudo" for product "Sudo"
 <= 1.8.29
Search vendor "Sudo" for product "Sudo" and version " <= 1.8.29"
-
Affected