Update and patch Linux Sever Now (Sudo Bug) ( CVE-2017-1000367)
May 30, 2017
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.
If SELinux is enabled on the system and sudo was built with SELinux support, a user with sudo privileges may be able to to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers.
Sudo versions affected:
Sudo 1.8.6p7 through 1.8.20 inclusive.
This vulnerability has been assigned CVE-2017-1000367 in the Common Vulnerabilities and Exposures database.
Exploiting the bug requires that the user already have sudo privileges. SELinux must also be enabled on the system and sudo must have been built with SELinux support.
To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev. It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm.
This file will be used as the command’s standard input, output and error when an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to an another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers.
For more details on exploitation, please see the Qualys Security Advisory.
The bug is fixed in sudo 1.8.20p1.
This bug was discovered and analyzed by Qualys, Inc.
A list of affected Linux distro
Red Hat Enterprise Linux 6 (sudo)
Red Hat Enterprise Linux 7 (sudo)
Red Hat Enterprise Linux Server (v. 5 ELS) (sudo)
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP2
How do I patch sudo on Debian/Ubuntu Linux server?
To patch Ubuntu/Debian Linux apt-get command or apt command:
$ sudo apt update $ sudo apt upgrade
How do I patch sudo on CentOS/RHEL/Scientific Linux server?
Run yum command:
$ sudo yum update
How do I patch sudo on Fedora Linux server?
Run dnf command:
$ sudo dnf update
How do I patch sudo on Suse/OpenSUSE Linux server?
Run zypper command:
$ sudo zypper update
How do I patch sudo on Arch Linux server?
Run pacman command:
$ sudo pacman -Syu
How do I patch sudo on Alpine Linux server?
Run apk command:
# apk update && apk upgrade
Learn more at https://www.sudo.ws/alerts/linux_tty.html
Leave a ReplyWant to join the discussion?
Feel free to contribute!