Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Feb 2013 11:04:47 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Todd C. Miller" <Todd.Miller@...rtesan.com>
Subject: Re: CVE request: sudo authentication bypass when clock
 is reset

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/27/2013 09:23 AM, Todd C. Miller wrote:
> Sudo 1.8.6p7 and 1.7.10p7 are now available which include a fix
> for the following bug:
> 
> Sudo authentication bypass when clock is reset
> 
> Summary:
>     When a user successfully authenticates with sudo, a time stamp
>     file is updated to allow that user to continue running sudo
>     without requiring a password for a preset time period (five
>     minutes by default).  The user's time stamp file can be reset
>     using "sudo -k" or removed altogether via "sudo -K".
> 
>     A user who has sudo access and is able to control the local
>     clock (common in desktop environments) can run a command via
>     sudo without authenticating as long as they have previously
>     authenticated themselves at least once by running "sudo -k" and
>     then setting the clock to the epoch (1970-01-01 01:00:00).
> 
>     The vulnerability does not permit a user to run commands other
>     than those allowed by the sudoers policy.
> 
> Sudo versions affected:
>     Sudo 1.6.0 through 1.7.10p7 and sudo 1.8.0 through 1.8.6p7.
> 
> Details:
>     By default, sudo displays a lecture when the user's time stamp
>     file is not present.  In sudo 1.6, the -k option was changed
>     to reset the time stamp file to the epoch rather than remove
>     it to prevent the lecture from being displayed the next time
>     sudo was run.  No special case was added for handling a time
>     stamp file set to the epoch since the clock should never
>     legitimately be set to that value.
> 
>     However, there are two common ways for the clock to be reset
>     to the epoch.  The first way is when the clock is reset due to
>     a fully drained battery on some systems.  The other way is by
>     a user logged in to a desktop environment that allows changes
>     to the date and time.
> 
>     As long as the user has successfully run sudo before, they are
>     able to run "sudo -k" to reset the time stamp file.  This action
>     does not require a password and is not logged.  If the user is
>     also able to reset the date and time to the epoch (1970-01-01
>     01:00:00), they will be able to run sudo without having to
>     authenticate.
> 
> Impact:
>     The flaw may allow someone with physical access to a machine
>     that is not password-protected to run sudo commands without
>     knowing the logged in user's password.  On systems where sudo
>     is the principal way of running commands as root, such as on
>     Ubuntu and Mac OS X, there is a greater chance that the logged
>     in user has run sudo before and thus that an attack would
>     succeed.
> 
> Fix:
>     The bug is fixed in sudo 1.8.6p7 and 1.7.10p7.  These versions
>     will ignore a time stamp file that is set to the epoch.
> 
> Workaround:
>     Using "sudo -K" instead of "sudo -k" will completely remove the
>     time stamp file instead of just resetting it.
> 
> Credit:
>     I'd like to thank Marco Schoepl for finding and reporting this
>     long-standing bug.
> 

Please use CVE-2013-1775 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLkq/AAoJEBYNRVNeJnmTiDcQANR8k6W1zRF1otKXMobCjS5P
Jost0kmGEC0M32NbR4CYXz//noUTsZR6Zbh1C4Kt/lsjARv7NkJgFKKUi6hqXoig
YGmUQtMDaI8Y8kmI09gr4XMrr/urmo0ifd8cWDULBxnPGT9zWbfpALXkJ5iI2bm2
tTIhKEaYz7nyqRxZkwDX8OTJ4glikhd+XfEeP1wqUxT6fsYFJu4o8yJyHkoCg2ML
cGfHm/nSf/Gg1I0Ze6VvDbg8zGeynPo3uCzHVL0sUbn3PXRYDAEF+gL0sOFPMjpw
ObJNjJxBUaHasZL7gLLGKdqzXOH19WzsAhXuizbeBC6qLytiKojakt2vfEcbKpE1
kvnb/RZUJgeJ713C2Zr7uTJ5IVP+k13f86lNUJA5TqKsbnTCPCHOlStgFIQFU3wa
sTQpfS+6h6wZI95UZ4WTA0In1PyoB9hNIK+5xpOXw5j7mau/jCuL773XgZc+yK6p
JgadFbfOY674ORPxrnBXNM6N9yCNQrvSRRmmr88efQo4U4SFx30cDZYrET7wsR5B
MrqNGLP7dQtDbfB3ap0tqyTTXzModg4xcvObHa6F3w9UbsI+fTpkDsaUpZRf9PTT
JwAklksljHsJA4oVvhAhS0MQqyV9H34v8tbQhT7pEbtOpXRluCM8nEoIrV6kn/1v
24TzEDeKW4PHX2R2aXvN
=kQGP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.