Bug 1153674 - (CVE-2019-14287) VUL-0: CVE-2019-14287: sudo: -1 uid issue
(CVE-2019-14287)
VUL-0: CVE-2019-14287: sudo: -1 uid issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/244734/
CVSSv3:SUSE:CVE-2019-14287:7.0:(AV:L/...
:
Depends on:
Blocks: 1154901
  Show dependency treegraph
 
Reported: 2019-10-11 07:07 UTC by Alexander Bergmann
Modified: 2019-11-08 07:31 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Vítězslav Čížek 2019-10-11 12:46:02 UTC
Basically the only way to exploit this issue is when sudoers contains entry like

  sudotest ALL = (ALL, !root) NOPASSWD: /usr/bin/whatever

The user sudotest will be able to use the uid #-1 trick to launch /usr/bin/whatever as root. The other cases are covered by various sudo checks.
I guess this setting is quite uncommon.

Our default installation actually limits this even more.

We set the targetpw Defaults option, which means that the user needs to enter the password of the user under whom the command will be run, instead of its own.
As a consequence of that, the user can't supply a non-existing uid, as it has to exist in the password database for the password check.

> sudo -u '#-1' id
[sudo] password for #-1: 
sudo: PAM authentication error: User not known to the underlying authentication module

The administrator would have to add NOPASSWD to make the bug exploitable, such as

  sudotest ALL = (ALL, !root) NOPASSWD: /usr/bin/id

In this case, the password verification is skipped entirely and the trick with passing -1 as uid will work.

With targetpw turned off, passing -1 as uid works (even without NOPASSWD) on all our supported distributions.

> sudo -u '#-1' id
uid=0(root) gid=100(users) egid=0(root) groups=16(dialout),33(video),100(users)
Comment 9 Alexandros Toptsoglou 2019-10-14 14:50:30 UTC
Now public through  https://www.sudo.ws/alerts/minus_1_uid.html

Release Date:
October 14, 2019
Summary:
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.
Sudo versions affected:
Sudo versions prior to 1.8.28 are affected.
CVE ID:
This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database.
Details:
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier.

Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier.

    myhost alice = (ALL) /usr/bin/id

Not only is user is able to run the id command as any valid user, she is also able to run it as an arbitrary user ID by using the #uid syntax, for example:

    sudo -u#1234 id -u

would return 1234. However, the setresuid(2) and setreuid(2) system calls, which sudo uses to change the user ID before running the command, treat user ID -1 (or its unsigned equivalent 4294967295), specially and do not change the user ID for this value. As a result,

    sudo -u#-1 id -u

or

    sudo -u#4294967295 id -u

will actually return 0. This is because the sudo command itself is already running as user ID 0 so when sudo tries to change to user ID -1, no change occurs.

This results in sudo log entries that report the command as being run by user ID 4294967295 and not root (or user ID 0). Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:

    myhost bob = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.

Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:

    myhost alice = /usr/bin/id

In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.
Fix:
The bug is fixed in sudo 1.8.28.
Credit:
Joe Vennix from Apple Information Security found and analyzed the bug.
Comment 11 Swamp Workflow Management 2019-10-14 19:53:58 UTC
SUSE-SU-2019:2656-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1153674
CVE References: CVE-2019-14287
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    sudo-1.8.22-4.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    sudo-1.8.22-4.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    sudo-1.8.22-4.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    sudo-1.8.22-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-10-15 10:11:16 UTC
openSUSE-SU-2019:2316-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1153674
CVE References: CVE-2019-14287
Sources used:
openSUSE Leap 15.1 (src):    sudo-1.8.22-lp151.5.3.1
Comment 16 Swamp Workflow Management 2019-10-15 16:13:56 UTC
SUSE-SU-2019:2666-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1153674
CVE References: CVE-2019-14287
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    sudo-1.8.20p2-3.14.1
SUSE OpenStack Cloud 8 (src):    sudo-1.8.20p2-3.14.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sudo-1.8.20p2-3.14.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    sudo-1.8.20p2-3.14.1
SUSE Linux Enterprise Server 12-SP4 (src):    sudo-1.8.20p2-3.14.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    sudo-1.8.20p2-3.14.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    sudo-1.8.20p2-3.14.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    sudo-1.8.20p2-3.14.1
SUSE Enterprise Storage 5 (src):    sudo-1.8.20p2-3.14.1
SUSE CaaS Platform 3.0 (src):    sudo-1.8.20p2-3.14.1
HPE Helion Openstack 8 (src):    sudo-1.8.20p2-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-10-15 16:21:38 UTC
SUSE-SU-2019:2668-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1053911,1058297,1068003,1153674
CVE References: CVE-2019-14287
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    sudo-1.8.10p3-2.28.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    sudo-1.8.10p3-2.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-10-15 16:22:38 UTC
SUSE-SU-2019:2667-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1153674
CVE References: CVE-2019-14287
Sources used:
SUSE OpenStack Cloud 7 (src):    sudo-1.8.10p3-10.23.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    sudo-1.8.10p3-10.23.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    sudo-1.8.10p3-10.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    sudo-1.8.10p3-10.23.1
SUSE Enterprise Storage 4 (src):    sudo-1.8.10p3-10.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-10-16 11:15:34 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2019-10-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64387
Comment 20 Swamp Workflow Management 2019-10-17 13:11:00 UTC
openSUSE-SU-2019:2333-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1153674
CVE References: CVE-2019-14287
Sources used:
openSUSE Leap 15.0 (src):    sudo-1.8.22-lp150.8.1
Comment 22 Swamp Workflow Management 2019-10-18 19:22:09 UTC
SUSE-SU-2019:14193-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1153674
CVE References: CVE-2019-14287
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    sudo-1.7.6p2-0.30.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    sudo-1.7.6p2-0.30.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    sudo-1.7.6p2-0.30.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    sudo-1.7.6p2-0.30.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Marcus Meissner 2019-11-02 19:06:55 UTC
released