Date: Wed, 27 Feb 2013 11:04:47 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Todd C. Miller" <Todd.Miller@...rtesan.com> Subject: Re: CVE request: sudo authentication bypass when clock is reset -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/27/2013 09:23 AM, Todd C. Miller wrote: > Sudo 1.8.6p7 and 1.7.10p7 are now available which include a fix > for the following bug: > > Sudo authentication bypass when clock is reset > > Summary: > When a user successfully authenticates with sudo, a time stamp > file is updated to allow that user to continue running sudo > without requiring a password for a preset time period (five > minutes by default). The user's time stamp file can be reset > using "sudo -k" or removed altogether via "sudo -K". > > A user who has sudo access and is able to control the local > clock (common in desktop environments) can run a command via > sudo without authenticating as long as they have previously > authenticated themselves at least once by running "sudo -k" and > then setting the clock to the epoch (1970-01-01 01:00:00). > > The vulnerability does not permit a user to run commands other > than those allowed by the sudoers policy. > > Sudo versions affected: > Sudo 1.6.0 through 1.7.10p7 and sudo 1.8.0 through 1.8.6p7. > > Details: > By default, sudo displays a lecture when the user's time stamp > file is not present. In sudo 1.6, the -k option was changed > to reset the time stamp file to the epoch rather than remove > it to prevent the lecture from being displayed the next time > sudo was run. No special case was added for handling a time > stamp file set to the epoch since the clock should never > legitimately be set to that value. > > However, there are two common ways for the clock to be reset > to the epoch. The first way is when the clock is reset due to > a fully drained battery on some systems. The other way is by > a user logged in to a desktop environment that allows changes > to the date and time. > > As long as the user has successfully run sudo before, they are > able to run "sudo -k" to reset the time stamp file. This action > does not require a password and is not logged. If the user is > also able to reset the date and time to the epoch (1970-01-01 > 01:00:00), they will be able to run sudo without having to > authenticate. > > Impact: > The flaw may allow someone with physical access to a machine > that is not password-protected to run sudo commands without > knowing the logged in user's password. On systems where sudo > is the principal way of running commands as root, such as on > Ubuntu and Mac OS X, there is a greater chance that the logged > in user has run sudo before and thus that an attack would > succeed. > > Fix: > The bug is fixed in sudo 1.8.6p7 and 1.7.10p7. These versions > will ignore a time stamp file that is set to the epoch. > > Workaround: > Using "sudo -K" instead of "sudo -k" will completely remove the > time stamp file instead of just resetting it. > > Credit: > I'd like to thank Marco Schoepl for finding and reporting this > long-standing bug. > Please use CVE-2013-1775 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRLkq/AAoJEBYNRVNeJnmTiDcQANR8k6W1zRF1otKXMobCjS5P Jost0kmGEC0M32NbR4CYXz//noUTsZR6Zbh1C4Kt/lsjARv7NkJgFKKUi6hqXoig YGmUQtMDaI8Y8kmI09gr4XMrr/urmo0ifd8cWDULBxnPGT9zWbfpALXkJ5iI2bm2 tTIhKEaYz7nyqRxZkwDX8OTJ4glikhd+XfEeP1wqUxT6fsYFJu4o8yJyHkoCg2ML cGfHm/nSf/Gg1I0Ze6VvDbg8zGeynPo3uCzHVL0sUbn3PXRYDAEF+gL0sOFPMjpw ObJNjJxBUaHasZL7gLLGKdqzXOH19WzsAhXuizbeBC6qLytiKojakt2vfEcbKpE1 kvnb/RZUJgeJ713C2Zr7uTJ5IVP+k13f86lNUJA5TqKsbnTCPCHOlStgFIQFU3wa sTQpfS+6h6wZI95UZ4WTA0In1PyoB9hNIK+5xpOXw5j7mau/jCuL773XgZc+yK6p JgadFbfOY674ORPxrnBXNM6N9yCNQrvSRRmmr88efQo4U4SFx30cDZYrET7wsR5B MrqNGLP7dQtDbfB3ap0tqyTTXzModg4xcvObHa6F3w9UbsI+fTpkDsaUpZRf9PTT JwAklksljHsJA4oVvhAhS0MQqyV9H34v8tbQhT7pEbtOpXRluCM8nEoIrV6kn/1v 24TzEDeKW4PHX2R2aXvN =kQGP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.