Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Irony alert. Newly discovered sudo vulnerability affects only the most secure Linux servers.


Irony alert. Newly discovered sudo vulnerability affects only the most secure Linux servers.

If you want your Linux server to be really secure, you defend it with SELinux. Many sysadmins do not bother because SELinux can be difficult to set up. But, if you really want to nail down your server, you use SELinux. This makes the newly discovered Linux security hole – with the sudo command that only hits SELinux-protected systems – all the more annoying.

Sudo enables users to run commands as root or another user, while simultaneously providing an audit trail of these commands. It is essential for day-in, day-out Linux work. Qualys, a well-regarded security company, discovered this essential command – but only on systems with SELinux enabled – can be abused to give the user full root-user capabilities.

Or, as they would say on the Outer Limits, We will control the horizontal, we will control the vertical. This is not what you want to see on your Linux server.

In a note to the OpenWall open-source security list, Qualys explained, On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his commands output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the commands stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges.

Specifically, this works by enabling a trusted user to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers.

For attacks over this vector, CVE-2017-1000367, to work, a user must have server access and the ability to run sudo. Still, if you have gone to the trouble to protect a server with SELinux, you do not want there to be any chance that someone could run rampant over it.

The security hole exists in sudo 1.7.10 through 1.7.10p9 inclusive and sudo 1.8.5 through 1.8.20p1 inclusive. Sudo 1.7.10 was released in September 2012. Thus, all Linux distributions released in the last five years are vulnerable to this attack. There was also a patch release, sudo 1.8.20p1, where the fix was incomplete. That is because it did not address malicious commands, which included a new line.

That is the bad news. The good news is patches are available for almost all significant server Linux distributions. These include Debian, Red Hat, SUSE, and Ubuntu.

If you have not patched your server yet, do so.

Once Qualys believes sufficient time has passed for responsible sysadmins to have patched their systems, they will publish their sudo-to-root exploit, and a day or two later, hackers will release easy-to-run attack scripts.


Comments
Sorry but there are no comments to display