Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.

The remote NewStart CGSL host, running version MAIN 4.06, has sudo packages installed that are affected by multiple vulnerabilities:

  - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer     overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS;
    however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an     administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
    (CVE-2019-18634)

  - In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy     blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user     ID. For example, this allows bypass of !root configuration, and USER= logging, for a sudo -u     \#$((0xffffffff)) command. (CVE-2019-14287)

  - sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match     between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which     allows local users to gain privileges via a crafted executable file, as demonstrated by a file named     sudoedit in a user's home directory. (CVE-2010-0426)

  - Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u     option in conjunction with the -g option, which allows local users to gain privileges via a command line     containing a -u root sequence. (CVE-2010-2956)

  - Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines)     in the get_process_ttyname() function resulting in information disclosure and command execution.
    (CVE-2017-1000368)

  - Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit
    -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)

  - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is     exploitable by any local user who can execute the sudo command without authentication. Successful     exploitation of this flaw could lead to privilege escalation.  (CVE-2021-3156)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries :

  - glibc
  - glibc-common
  - nscd
  - openldap
  - sudo

sudo's handling of the -g command line option allowed to also specify
-u in some cases, therefore allowing users to actually run commands as root (CVE-2010-2956).

The remote Oracle Linux 5 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2010-0675 advisory.

    [1.7.2p1-8]
    - added patch for CVE-2010-2956 (#628628)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956)

a. Service Console update for glibc

   The service console packages glibc, glibc-common, and nscd are each    updated to version 2.5-34.4908.vmw.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues    addressed in this update.

b. Service Console update for sudo

   The service console package sudo is updated to version    1.7.2p1-8.el5_5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-2956 to the issue addressed in this    update.

c. Service Console update for openldap

   The service console package openldap is updated to version    2.3.43-12.el5_5.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues    addressed in this update.

- reset $HOME when the `-i' option is used

    - update to new upstream version

    - sudo now uses /var/db/sudo for timestamps

    - new command available: sudoreplay

    - use native audit support

    - corrected license field value: BSD -> ISC

    - added env_keep += HOME (see rhbz#614025) for backwards       compatibility

    - added Defaults !visiblepw

    - fixes CVE-2010-2956

    - use_pty option can be used to avoid the issue reported       in #479145

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- update to new upstream version - sudo now uses     /var/db/sudo for timestamps - new command available:
    sudoreplay - use native audit support - corrected     license field value: BSD -> ISC - fixes CVE-2010-2956

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.

A vulnerability has been found and corrected in sudo :

Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a -u root sequence (CVE-2010-2956).

The updated packages have been patched to correct this issue.

An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.

A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956)

Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue.

Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue.

- update to new upstream version - sudo now uses     /var/db/sudo for timestamps - new command available:
    sudoreplay - use native audit support - corrected     license field value: BSD -> ISC - added env_keep += HOME     (see rhbz#614025) for backwards compatibility - added     Defaults !visiblepw - fixes CVE-2010-2956

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Markus Wuethrich discovered that sudo did not always verify the user when a group was specified in the Runas_Spec. A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use a program as a group when the attacker was not a part of that group.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 5 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2010:0675 advisory.

  - sudo: incorrect handling of RunAs specification with both user and group lists (CVE-2010-2956)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201009-03 (sudo: Privilege Escalation)

    Multiple vulnerabilities have been reported in sudo:
    Evan     Broder and Anders Kaseorg of Ksplice, Inc. reported that the sudo     'secure path' feature does not properly handle multiple PATH variables     (CVE-2010-1646).
    Markus Wuethrich of Swiss Post reported that     sudo fails to restrict access when using Runas groups and the group     (-g) command line option (CVE-2010-2956).
  Impact :

    A local attacker could exploit these vulnerabilities to gain the     ability to run certain commands with the privileges of other users,     including root, depending on the configuration.
  Workaround :

    There is no known workaround at this time.

Todd Miller reports :

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.

ID	Name	Product	Family	Severity
147406	NewStart CGSL MAIN 4.06 : sudo Multiple Vulnerabilities (NS-SA-2021-0001)	Nessus	NewStart CGSL Local Security Checks	high
89673	VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0001) (remote check)	Nessus	Misc.	high
75750	openSUSE Security Update : sudo (openSUSE-SU-2010:0591-1)	Nessus	SuSE Local Security Checks	medium
68093	Oracle Linux 5 : sudo (ELSA-2010-0675)	Nessus	Oracle Linux Local Security Checks	high
60854	Scientific Linux Security Update : sudo on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
51422	VMSA-2011-0001 : VMware ESX third-party updates for Service Console packages glibc, sudo, and openldap	Nessus	VMware ESX Local Security Checks	high
49721	Fedora 12 : sudo-1.7.4p4-2.fc12 (2010-14996)	Nessus	Fedora Local Security Checks	medium
49240	Fedora 14 : sudo-1.7.4p4-1.fc14 (2010-14184)	Nessus	Fedora Local Security Checks	medium
49230	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 8.1 / 9.0 / 9.1 / current : sudo (SSA:2010-257-02)	Nessus	Slackware Local Security Checks	medium
49205	Mandriva Linux Security Advisory : sudo (MDVSA-2010:175)	Nessus	Mandriva Local Security Checks	medium
49203	CentOS 5 : sudo (CESA-2010:0675)	Nessus	CentOS Local Security Checks	medium
49197	Fedora 13 : sudo-1.7.4p4-1.fc13 (2010-14355)	Nessus	Fedora Local Security Checks	medium
49168	openSUSE Security Update : sudo (openSUSE-SU-2010:0591-1)	Nessus	SuSE Local Security Checks	medium
49140	Ubuntu 9.10 / 10.04 LTS : sudo vulnerability (USN-983-1)	Nessus	Ubuntu Local Security Checks	medium
49128	RHEL 5 : sudo (RHSA-2010:0675)	Nessus	Red Hat Local Security Checks	high
49124	GLSA-201009-03 : sudo: Privilege Escalation	Nessus	Gentoo Local Security Checks	medium
49123	FreeBSD : sudo -- Flaw in Runas group matching (67b514c3-ba8f-11df-8f6e-000c29a67389)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2010-2956

high

Tenable Plugins

high

high

medium

high

medium

high

medium

medium

medium

medium

medium

medium

medium

medium

high

medium

medium