Bug 1219026 (CVE-2023-42465)

Summary:	VUL-0: CVE-2023-42465: sudo: row hammer attacks hardening
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <Andreas.Stieger>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	cxiong, hp.jansen, meissner, otto.hollmann, pgajdos, richard.fan, steve.moring, thomas.leroy
Version:	unspecified	Flags:	steve.moring: needinfo?
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/391777/
See Also:	https://bugzilla.suse.com/show_bug.cgi?id=1220297
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-42465:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2024-01-19 18:57:42 UTC

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. 

Tumbleweed: https://build.opensuse.org/request/show/1128140


References:
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_15https://arxiv.org/abs/2309.02545
https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
https://www.openwall.com/lists/oss-security/2023/12/21/9
https://www.sudo.ws/releases/changelog/

Comment 1 Thomas Leroy 2024-01-22 09:44:48 UTC

Thanks for the report Andreas.

Affected:
- SUSE:SLE-11-SP3:Update
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP3:Update
- SUSE:SLE-12-SP5:Update
- SUSE:SLE-15-SP3:Update
- SUSE:SLE-15-SP4:Update
- SUSE:SLE-15-SP5:Update
- SUSE:SLE-15:Update

Comment 2 Petr Gajdos 2024-02-05 15:53:38 UTC

Will try to look at it.

Comment 3 Petr Gajdos 2024-02-15 16:26:02 UTC

This seems to be dependant at least on
https://github.com/sudo-project/sudo/commit/538be58ac0b10c21be3ec5f1e51b44af25699a4e
https://github.com/sudo-project/sudo/commit/e025cca440376d9497496d204184c59be6f8c9cb
quite tangled.

Comment 4 Petr Gajdos 2024-02-23 06:31:13 UTC

Reassigning back to Otto as he is taking care in fact.
Sorry I didn't help more.

Comment 5 Otto Hollmann 2024-02-26 13:51:30 UTC

Submitted:

Codestream               Version   SR
-----------------------------------------------
openSUSE:Factory         1.9.15p5  not affected
SUSE:ALP:Source:Std:1.0  1.9.15p5  not affected
SUSE_SLE-15-SP6_GA       1.9.15p5  not affected
SUSE_SLE-15-SP5_Update   1.9.12p1  322748
SUSE_SLE-15-SP4_Update   1.9.9     322749
SUSE_SLE-15-SP3_Update   1.9.5p2   322750
SUSE_SLE-15_Update       1.8.27    322751
SUSE_SLE-12-SP5_Update   1.8.27    322752
SUSE_SLE-12-SP3_Update   1.8.20p2  322758
SUSE_SLE-12-SP2_Update   1.8.10p3  unsupported
SUSE_SLE-12_Update       1.8.10p3  unsupported
SUSE_SLE-11-SP3_Update   1.7.6p2   unsupported
SUSE_SLE-11_Update       1.7.6p2   unsupported

Assigning back to security team

Comment 7 Otto Hollmann 2024-02-28 15:31:01 UTC

As mentioned in bug 1220389, also commit 
> https://github.com/sudo-project/sudo/commit/cf00568d888c90a8c5d06a06283bc87a45992933
needs to be backported

resubmitted:
> SUSE_SLE-15-SP5_Update   1.9.12p1  322748 -> 322941
> SUSE_SLE-15-SP4_Update   1.9.9     322749 -> 322942
> SUSE_SLE-15-SP3_Update   1.9.5p2   322750 -> 322943
> SUSE_SLE-15_Update       1.8.27    322751 -> 322944
> SUSE_SLE-12-SP5_Update   1.8.27    322752 -> 322945
> SUSE_SLE-12-SP3_Update   1.8.20p2  322758 -> 322946

Comment 13 Maintenance Automation 2024-03-07 12:30:30 UTC

SUSE-SU-2024:0797-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): sudo-1.8.27-4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Maintenance Automation 2024-03-07 12:30:33 UTC

SUSE-SU-2024:0796-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): sudo-1.8.27-150000.4.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2024-03-07 12:30:38 UTC

SUSE-SU-2024:0795-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
openSUSE Leap Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Proxy 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Retail Branch Server 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Server 4.3 (src): sudo-1.9.9-150400.4.33.1
openSUSE Leap 15.4 (src): sudo-1.9.9-150400.4.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2024-03-07 12:30:44 UTC

SUSE-SU-2024:0794-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap 15.5 (src): sudo-1.9.12p1-150500.7.7.1
SUSE Linux Enterprise Micro 5.5 (src): sudo-1.9.12p1-150500.7.7.1
Basesystem Module 15-SP5 (src): sudo-1.9.12p1-150500.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2024-03-08 12:30:13 UTC

SUSE-SU-2024:0796-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): sudo-1.8.27-150000.4.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2024-03-08 12:30:15 UTC

SUSE-SU-2024:0795-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
openSUSE Leap Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Proxy 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Retail Branch Server 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Server 4.3 (src): sudo-1.9.9-150400.4.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Maintenance Automation 2024-03-08 12:36:26 UTC

SUSE-SU-2024:0797-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): sudo-1.8.27-4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Maintenance Automation 2024-03-08 12:36:31 UTC

SUSE-SU-2024:0794-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap 15.5 (src): sudo-1.9.12p1-150500.7.7.1
SUSE Linux Enterprise Micro 5.5 (src): sudo-1.9.12p1-150500.7.7.1
Basesystem Module 15-SP5 (src): sudo-1.9.12p1-150500.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Maintenance Automation 2024-03-12 16:36:36 UTC

SUSE-SU-2024:0834-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap 15.3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Enterprise Storage 7.1 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Micro 5.1 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Micro 5.2 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): sudo-1.9.5p2-150300.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Steven Moring 2024-04-04 17:51:03 UTC

My customer, General Motors, reports that this fix: sudo-1.8.27-4.45.1 breaks things in their sudo.

Customer states the following:
In this most recent patch release which we are deploying where the sudo package was upgraded from sudo-1.8.27-4.38.1.x86_64 to sudo-1.8.27-4.45.1.x86_64, I’ve noticed a behavior change with sudo. It seems like something is invalidating or ignoring my previously working sudoers rule and I cant see what has changed or an error being logged that is causing this to happen. For example, I have a sudoers file that contains this:
 
lsfnahpc        ALL = NOPASSWD: /sbin/shutdown,/db1/adm/RBP/zypper_security_patch.sh,/db1/adm/RBP/zypper_security_patch_TEST.sh
 
Here is an example transaction. With 1.8.27-4.45.1, my sudo command will ask for a password even though I have specified NOPASSWD:
 
--
dcwipphpc0286:~ # rpm -q sudo
sudo-1.8.27-4.45.1.x86_64
dcwipphpc0286:~ # su - lsfnahpc
lsfnahpc@dcwipphpc0286:/home/lsfnahpc> sudo -u root /sbin/shutdown -c
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
[sudo] password for lsfnahpc:
lsfnahpc@dcwipphpc0286:/home/lsfnahpc>
--
 
 
If I downgrade the sudo package, and no other changes, it works as expected:
 
--
dcwipphpc0286:~ # zypper -n in --oldpackage sudo=1.8.27-4.38.1
Loading repository data...
Reading installed packages...
Resolving package dependencies...
 
The following package is going to be downgraded:
  sudo
 
The following package has no support information from it's vendor:
  sudo
 
1 package to downgrade.
Overall download size: 826.6 KiB. Already cached: 0 B. No additional space will
be used or freed after the operation.
Continue? [y/n/...? shows all options] (y): y
Retrieving package sudo-1.8.27-4.38.1.x86_64
                                           (1/1), 826.6 KiB (  3.2 MiB unpacked)
Retrieving: sudo-1.8.27-4.38.1.x86_64.rpm ................................[done]
 
Checking for file conflicts: .............................................[done]
(1/1) Installing: sudo-1.8.27-4.38.1.x86_64 ..............................[done]
dcwipphpc0286:~ # su - lsfnahpc
lsfnahpc@dcwipphpc0286:/home/lsfnahpc> sudo -u root /sbin/shutdown -c
lsfnahpc@dcwipphpc0286:/home/lsfnahpc>
 
If I run “visudo -c” I do not get any errors of invalid syntax.  I am wondering if there is something more strict that is required for the new sudo, or maybe the release notes of the new version will indicate what is required. Or on the other hand, maybe it is a bug.  I’ve not seen any recent changes to sudo on the SLES 15 front, so that side appears to be working fine.
 
 Let me know what other details you need and thanks in advance for the help!
 

Any ideas on why this behavior might be observed?