Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Nov 2015 15:38:30 -0500 (EST)
Subject: Re: race condition checking digests/checksums in sudoers

Hash: SHA256


>> If a command name is prefixed with a Digest_Spec, the command will
>> only match successfully if it can be verified using the specified
>> SHA-2 digest. This may be useful in situations where the user invoking
>> sudo has write access to the command or its parent directory.

> This results in a race condition if the digest functionality is used
> as suggested (in fact, the rules are matched before the user is
> prompted for a password, so you have quite some time to replace the
> binary from underneath sudo).

Our perspective is that the documentation is directly misleading, and
the product actually does not have a security feature for which
there's a reasonable expectation. We do assign a CVE ID in this type of
situation, and can do that later this week unless there's other

As far as we know, the Digest_Spec feature can be useful if the user
invoking sudo doesn't have write access to the program file, but a
second (and potentially untrusted) user does have write access to the
program file. In the envisioned scenario, the second user is not
allowed to use sudo, the second user has no way to predict when anyone
else may use sudo, and the second user cannot use their write access
often. Thus, if the second user attempts a file-replacement attack,
the attack will almost certainly occur at an ineffective instant of
time, and the Digest_Spec feature will successfully prevent the
attacker's desired outcome.

However, the documentation is specifically about "the user invoking
sudo has write access." A reasonably experienced person reading the
documentation could easily conclude that sudo and the kernel cooperate
to ensure that the executed code is always exactly the same as the
code with the specified SHA-2 digest value. This person can't be
expected to guess that a race condition is considered OK because a
non-racy approach may be hard to implement.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.