Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 10 Nov 2015 15:38:30 -0500 (EST)
From: cve-assign@...re.org
To: amilburn@...l.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, Todd.Miller@...rtesan.com
Subject: Re: race condition checking digests/checksums in sudoers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> http://www.sudo.ws/man/1.8.15/sudoers.man.html

>> If a command name is prefixed with a Digest_Spec, the command will
>> only match successfully if it can be verified using the specified
>> SHA-2 digest. This may be useful in situations where the user invoking
>> sudo has write access to the command or its parent directory.

> This results in a race condition if the digest functionality is used
> as suggested (in fact, the rules are matched before the user is
> prompted for a password, so you have quite some time to replace the
> binary from underneath sudo).

Our perspective is that the documentation is directly misleading, and
the product actually does not have a security feature for which
there's a reasonable expectation. We do assign a CVE ID in this type of
situation, and can do that later this week unless there's other
discussion.

As far as we know, the Digest_Spec feature can be useful if the user
invoking sudo doesn't have write access to the program file, but a
second (and potentially untrusted) user does have write access to the
program file. In the envisioned scenario, the second user is not
allowed to use sudo, the second user has no way to predict when anyone
else may use sudo, and the second user cannot use their write access
often. Thus, if the second user attempts a file-replacement attack,
the attack will almost certainly occur at an ineffective instant of
time, and the Digest_Spec feature will successfully prevent the
attacker's desired outcome.

However, the documentation is specifically about "the user invoking
sudo has write access." A reasonably experienced person reading the
documentation could easily conclude that sudo and the kernel cooperate
to ensure that the executed code is always exactly the same as the
code with the specified SHA-2 digest value. This person can't be
expected to guess that a race condition is considered OK because a
non-racy approach may be hard to implement.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWQlUYAAoJEL54rhJi8gl58pYP/iXOFLyMmGwHT8nhSCL9FoEK
+xP6MCf2vQjpjpAhi2kejNtji//qPGXCwDAAuBoXW9YRC30aGhBzuZqOQZxMFMqv
01x3m0Fm4A2cMyWA67VC50481WsiYGYHob8uld8h26VBY7VL9+s/TaUekMdKkTyq
yiczwH2kMu8QiHGjBlw5yyeEhSc+6V6gK7+YjX6nWCEQlvqjaorlOiUAfmYLfv5l
FPgj+WTssHR+gKaVmSuw+WqG4w6ukH9AVoOiMwej08mqAhttQmfcIZrmCNItUq8H
/t5vvbRYXpQz+KwwaQ0ENsMQDsquO9XnzGdHSmvrC0jbSRdNWCpsONal7DF8OVqi
8YzM24nulX6wWxgd2dAI/IBVvMO0A+SEbApikBrJPEdW9gZ/+SVG+nLethyirD22
xbBkP1PE49vfHuZaOCwR7D4A5oGl+wymbTg8D9ihD9Vq+9+Nedr3FrPZ9wTEMMha
+X+yRu/UeDHqGN3mkwCXNT2vKTLa/+cYi+opbRt7KVLVFB0XsYJrpHrKgvntRRTB
eo+HTmxX0ISWkWOTOeUy5zsDm6XcU/YYBylZpgkKJy3e8xcRKK8uUi0my25m3EaX
Akv0Zn5yTIgSz1+mEKFSFnhtX9KcAsExs0xwSu7qxrw8shCVoln4Y0JKWHPgfONw
XXNM7lVxJwW2dgvND1gE
=EaN/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.