Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.
Description
The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has sudo packages installed that are affected by multiple vulnerabilities:
- A certain Fedora patch for parse.c in sudo before 1.7.4p5-1.fc14 on Fedora 14 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. NOTE: this vulnerability exists because of a CVE-2009-0034 regression. (CVE-2011-0008)
- check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command. (CVE-2011-0010)
- Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo. (CVE-2012-0809)
- sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4 address. (CVE-2012-2337)
- sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch. (CVE-2013-1775)
- sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. (CVE-2013-1776)
- Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)
- A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL sudo packages. Note that updated packages may not be available yet. Please contact ZTE for more information.
Plugin Details
File Name: newstart_cgsl_NS-SA-2022-0028_sudo.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:zte:cgsl_core:sudo, p-cpe:/a:zte:cgsl_core:sudo-debuginfo, p-cpe:/a:zte:cgsl_core:sudo-devel, p-cpe:/a:zte:cgsl_main:sudo, p-cpe:/a:zte:cgsl_main:sudo-debuginfo, p-cpe:/a:zte:cgsl_main:sudo-devel, cpe:/o:zte:cgsl_core:5, cpe:/o:zte:cgsl_main:5
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 5/8/2022
Vulnerability Publication Date: 1/29/2009
CISA Known Exploited Vulnerability Due Dates: 4/27/2022
Exploitable With
CANVAS (CANVAS)
Core Impact
Metasploit (Sudo Heap-Based Buffer Overflow)