CVE-2023-22809
sudo 1.8.0 to 1.9.12p1 - Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
12Exploited in Wild
-Decision
Descriptions
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
En Sudo anterior a 1.9.12p2, la función sudoedit (también conocida como -e) maneja mal argumentos adicionales pasados en las variables de entorno proporcionadas por el usuario (SUDO_EDITOR, VISUAL y EDITOR), permitiendo a un atacante local agregar entradas arbitrarias a la lista de archivos para procesar. . Esto puede conducir a una escalada de privilegios. Las versiones afectadas son 1.8.0 a 1.9.12.p1. El problema existe porque un editor especificado por el usuario puede contener un argumento "--" que anula un mecanismo de protección, por ejemplo, un valor EDITOR='vim -- /path/to/extra/file'.
A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 suffers from an unpatched vulnerability in sudoedit, allowed by sudo configuration, which permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-01-06 CVE Reserved
- 2023-01-18 CVE Published
- 2023-02-15 First Exploit
- 2023-11-18 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (25)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html | Third Party Advisory |
|
| http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html | Third Party Advisory |
|
| http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html | Third Party Advisory |
|
| http://seclists.org/fulldisclosure/2023/Aug/21 | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20230127-0015 | Third Party Advisory |
|
| https://support.apple.com/kb/HT213758 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/51217 | 2023-04-03 | |
| https://github.com/n3m1sys/CVE-2023-22809-sudoedit-privesc | 2023-02-15 | |
| https://github.com/Chan9Yan9/CVE-2023-22809 | 2023-06-20 | |
| https://github.com/Toothless5143/CVE-2023-22809 | 2023-09-03 | |
| https://github.com/3yujw7njai/CVE-2023-22809-sudo-POC | 2023-04-06 | |
| https://github.com/pashayogi/CVE-2023-22809 | 2023-06-25 | |
| https://github.com/M4fiaB0y/CVE-2023-22809 | 2023-02-22 | |
| https://github.com/asepsaepdin/CVE-2023-22809 | 2023-07-13 | |
| https://github.com/AntiVlad/CVE-2023-22809 | 2024-08-14 | |
| http://www.openwall.com/lists/oss-security/2023/01/19/1 | 2024-08-02 | |
| https://www.sudo.ws/security/advisories/sudoedit_any | 2024-08-02 | |
| https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf | 2024-08-02 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sudo Project Search vendor "Sudo Project" | Sudo Search vendor "Sudo Project" for product "Sudo" | >= 1.8.0 < 1.9.12 Search vendor "Sudo Project" for product "Sudo" and version " >= 1.8.0 < 1.9.12" | - |
Affected
| ||||||
| Sudo Project Search vendor "Sudo Project" | Sudo Search vendor "Sudo Project" for product "Sudo" | 1.9.12 Search vendor "Sudo Project" for product "Sudo" and version "1.9.12" | - |
Affected
| ||||||
| Sudo Project Search vendor "Sudo Project" | Sudo Search vendor "Sudo Project" for product "Sudo" | 1.9.12 Search vendor "Sudo Project" for product "Sudo" and version "1.9.12" | p1 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Macos Search vendor "Apple" for product "Macos" | < 13.4 Search vendor "Apple" for product "Macos" and version " < 13.4" | - |
Affected
| ||||||