Bug 1162202 (CVE-2019-18634)

Summary: VUL-0: CVE-2019-18634: sudo: if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Kristyna Streitova <kstreitova>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P1 - Urgent CC: cmertens, meissner, roger.whittaker, smash_bz, suseino
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/252106/
Whiteboard: CVSSv2:NVD:CVE-2019-18634:4.6:(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVSSv3.1:NVD:CVE-2019-18634:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2019-18634:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-01-30 09:55:15 UTC
CVE-2019-18634

In Sudo through 1.8.29, if pwfeedback is enabled in /etc/sudoers, users can
trigger a stack-based buffer overflow in the privileged sudo process.
(pwfeedback is a default setting in Linux Mint and elementary OS; however, it is
NOT the default for upstream and many other packages, and would exist only if
enabled by an administrator.) The attacker needs to deliver a long string to the
stdin of getln() in tgetpass.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634
https://www.sudo.ws/security.html
https://support.apple.com/kb/HT210919
Comment 1 Wolfgang Frisch 2020-01-30 10:01:31 UTC
SUSE's default sudo configuration does not include `pwfeedback`.
The issue should be fixed nevertheless, in case a customer decides to utilize this option.
Comment 5 Wolfgang Frisch 2020-02-03 17:03:54 UTC
If enabled, which is not the default on SUSE, the `pwfeedback` option should be disabled until updates are released.

`sudo -l` will reveal all currently configured options.
Comment 6 Marcus Meissner 2020-02-05 12:22:53 UTC
From: William Bowling <will@wbowling.info>                                                                                                                                                   
Subject: Re: [oss-security] CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled                                                                                               
Date: Wed, 5 Feb 2020 22:34:53 +1100                                                                                                                                                         

When using a pty, sudo_term_eof and sudo_term_kill are initialized to 0x4
and 0x15 allowing the overflow to be reached, making 1.8.26-1.8.30 also
vulnerable:

$ socat pty,link=/tmp/pty,waitslave exec:"python -c
'print((\"A\"*100+chr(0x15))*50)'" &
$ sudo -S id < /tmp/pty
[sudo] password for user1: Segmentation fault
$ sudo -V
Sudo version 1.8.30
Sudoers policy plugin version 1.8.30
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.30

- Will
Comment 9 Kristyna Streitova 2020-02-07 17:21:38 UTC
@Wolfgang, Red Hat engineers claim that sudo 1.7.x (for us it means SLE11 and SLE11SP3) is not affected [1]:

"A deeper analysis shows the sudo version shipped with RHEL 5 is not affected.
More recent versions include a break; statement when write(2) fails to write the backspace character to the output on getln() function and password feedback is enabled. The main issue with that is the fact write(2) will always fail to write to unidirectional pipes thus when facing a VERASE character sudo won't reset back the buffer position pointer in such scenarios, which will subsequently lead to the buffer overflow.

This can be observed on sudo version 1.8.0 and above. The commit which introduced the vulnerability seems to be:
commit 420db23714ffcab87caa67bae0e3de9f42222cf9                          
Author: Todd C. Miller <Todd.Miller@courtesan.com>                       
Date:   Tue Aug 3 11:17:56 2010 -0400                                    
                                                                         
    Quiet gcc warnings on glibc systems that use warn_unused_result for  
    write(2) and others.                                                 
                                                                         
Red Hat Enterprise 5 ships sudo v.1.7.2p1 which still doesn't have this specific behavior. Even if write(2) fails due to unidirectional pipe it still decrease the current pointer position correctly when the termios's VERASE character is found in the password input."

What do you think about it?


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1796944#c21
Comment 10 Suse User 2020-02-12 16:24:15 UTC
According to:

https://www.sudo.ws/news.html
https://www.sudo.ws/stable.html#1.8.31

versoin 1.8.31 fixes the issue.
Comment 11 Kristyna Streitova 2020-02-13 09:53:24 UTC
(In reply to Suse User from comment #10)
> According to:
> 
> https://www.sudo.ws/news.html
> https://www.sudo.ws/stable.html#1.8.31
> 
> versoin 1.8.31 fixes the issue.

Yes, the new version has been already submitted (sr#772143). It will appear in TW soon.
Comment 12 Suse User 2020-02-13 11:24:20 UTC
> It will appear in TW soon.

What about Leap?
Comment 13 Kristyna Streitova 2020-02-13 12:10:54 UTC
The fix was also submitted for SLE15 which is an origin for Leap.
Comment 14 Swamp Workflow Management 2020-02-18 14:12:26 UTC
SUSE-SU-2020:0390-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1162202
CVE References: CVE-2019-18634
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    sudo-1.8.10p3-2.32.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    sudo-1.8.10p3-2.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-02-19 14:12:03 UTC
SUSE-SU-2020:0406-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1162202,1162675
CVE References: CVE-2019-18634
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    sudo-1.8.20p2-3.17.1
SUSE OpenStack Cloud 8 (src):    sudo-1.8.20p2-3.17.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sudo-1.8.20p2-3.17.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    sudo-1.8.20p2-3.17.1
SUSE Linux Enterprise Server 12-SP4 (src):    sudo-1.8.20p2-3.17.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    sudo-1.8.20p2-3.17.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    sudo-1.8.20p2-3.17.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    sudo-1.8.20p2-3.17.1
SUSE Enterprise Storage 5 (src):    sudo-1.8.20p2-3.17.1
SUSE CaaS Platform 3.0 (src):    sudo-1.8.20p2-3.17.1
HPE Helion Openstack 8 (src):    sudo-1.8.20p2-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-02-19 14:12:50 UTC
SUSE-SU-2020:0409-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1162202,1162675
CVE References: CVE-2019-18634
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    sudo-1.8.27-4.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    sudo-1.8.27-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-02-19 14:15:03 UTC
SUSE-SU-2020:0408-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1162202,1162675
CVE References: CVE-2019-18634
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise Server 15-LTSS (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    sudo-1.8.22-4.9.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    sudo-1.8.22-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-02-19 14:22:30 UTC
SUSE-SU-2020:0407-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1162202
CVE References: CVE-2019-18634
Sources used:
SUSE OpenStack Cloud 7 (src):    sudo-1.8.10p3-10.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    sudo-1.8.10p3-10.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    sudo-1.8.10p3-10.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    sudo-1.8.10p3-10.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-02-25 14:29:27 UTC
openSUSE-SU-2020:0244-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1162202,1162675
CVE References: CVE-2019-18634
Sources used:
openSUSE Leap 15.1 (src):    sudo-1.8.22-lp151.5.6.1
Comment 24 Marcus Meissner 2020-03-10 16:24:43 UTC
I tested on SLES 11 Sp4, I was not able to reproduce.

Other research showed 1.8.0 and later only affected, so SLES 11 seems not affected.

This also means all fixed now.