NewStart CGSL MAIN 4.06 : sudo Multiple Vulnerabilities (NS-SA-2021-0001)

high Nessus Plugin ID 147406

Synopsis

The remote machine is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 4.06, has sudo packages installed that are affected by multiple vulnerabilities:

- In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS;
however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
(CVE-2019-18634)

- In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a sudo -u \#$((0xffffffff)) command. (CVE-2019-14287)

- sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory. (CVE-2010-0426)

- Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a -u root sequence. (CVE-2010-2956)

- Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
(CVE-2017-1000368)

- Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit
-s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)

- A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL sudo packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2021-0001

Plugin Details

Severity: High

ID: 147406

File Name: newstart_cgsl_NS-SA-2021-0001_sudo.nasl

Version: 1.7

Type: local

Published: 3/10/2021

Updated: 3/23/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2019-14287

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/9/2021

Vulnerability Publication Date: 1/28/2010

CISA Known Exploited Vulnerability Due Dates: 4/27/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Sudo Heap-Based Buffer Overflow)

Reference Information

CVE: CVE-2010-0426, CVE-2010-2956, CVE-2017-1000368, CVE-2019-14287, CVE-2019-18634, CVE-2021-3156

BID: 38362, 43019, 98838