Detections
Analytics
NewStart CGSL MAIN 4.06 : sudo Multiple Vulnerabilities (NS-SA-2021-0001)
high Nessus Plugin ID 147406
Language:
Synopsis
The remote machine is affected by multiple vulnerabilities.Description
The remote NewStart CGSL host, running version MAIN 4.06, has sudo packages installed that are affected by multiple vulnerabilities:- In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS;
however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
(CVE-2019-18634)
- In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a sudo -u \#$((0xffffffff)) command. (CVE-2019-14287)
- sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory. (CVE-2010-0426)
- Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a -u root sequence. (CVE-2010-2956)
- Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
(CVE-2017-1000368)
- Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit
-s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)
- A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL sudo packages. Note that updated packages may not be available yet. Please contact ZTE for more information.See Also
Plugin Details
Severity: High
ID: 147406
File Name: newstart_cgsl_NS-SA-2021-0001_sudo.nasl
Version: 1.7
Type: local
Published: 3/10/2021
Updated: 3/23/2023
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.7
CVSS v2
Risk Factor: High
Base Score: 9
Temporal Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS Score Source: CVE-2019-14287
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 8.4
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 3/9/2021
Vulnerability Publication Date: 1/28/2010
CISA Known Exploited Vulnerability Due Dates: 4/27/2022
Exploitable With
CANVAS (CANVAS)
Core Impact
Metasploit (Sudo Heap-Based Buffer Overflow)
Reference Information
CVE: CVE-2010-0426, CVE-2010-2956, CVE-2017-1000368, CVE-2019-14287, CVE-2019-18634, CVE-2021-3156