Bug 1159616 (CVE-2019-19234)

Summary: VUL-0: CVE-2019-19234: sudo: In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Kristyna Streitova <kstreitova>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: oppo.allshout, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/249584/
Whiteboard: CVSSv2:NVD:CVE-2019-19234:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv3:NVD:CVE-2019-19234:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSSv3:SUSE:CVE-2019-19234:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-12-20 07:24:28 UTC 
CVE-2019-19234

In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using
the ! character in the shadow file instead of a password hash) is not
considered, allowing an attacker (who has access to a Runas ALL sudoer account)
to impersonate any blocked user.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234
https://www.sudo.ws/stable.html
https://www.sudo.ws/devel.html#1.8.30b2
Comment 1 Marcus Meissner 2019-12-20 07:27:17 UTC 
but if hwe has Runas ALL , could he not just become root and then use "su user"?
Comment 2 giorgio oppo 2019-12-31 12:16:39 UTC 
(In reply to Marcus Meissner from comment #1)
> but if hwe has Runas ALL , could he not just become root and then use "su
> user"?
If there was a Black List policy, the vulnerability would remain. 
Ex. (ALL,!root)
Comment 3 Kristyna Streitova 2020-02-06 18:57:28 UTC 
This issue is marked as disputed [1]:

"** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash."


The only relevant upstream commit is [2] that adds runas_check_shell flag to require a runas user to have a valid shell. It's not enabled by default though. Also, the patch is quite extensive so backporting would be probably problematic.

How do we want to treat this issue?


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234
[2] https://www.sudo.ws/repos/sudo/rev/ed6db31729cd
Comment 4 Marcus Meissner 2020-02-07 13:05:06 UTC 
Similar to sudo upstream we currently do not consider it as a security issue
and are not planning to fix it.