Bug 1159616 - (CVE-2019-19234) VUL-0: CVE-2019-19234: sudo: In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL
(CVE-2019-19234)
VUL-0: CVE-2019-19234: sudo: In Sudo through 1.8.29, the fact that a user has...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Kristyna Streitova
Security Team bot
https://smash.suse.de/issue/249584/
CVSSv2:NVD:CVE-2019-19234:5.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-20 07:24 UTC by Marcus Meissner
Modified: 2020-05-12 18:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-12-20 07:24:28 UTC
CVE-2019-19234

In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using
the ! character in the shadow file instead of a password hash) is not
considered, allowing an attacker (who has access to a Runas ALL sudoer account)
to impersonate any blocked user.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234
https://www.sudo.ws/stable.html
https://www.sudo.ws/devel.html#1.8.30b2
Comment 1 Marcus Meissner 2019-12-20 07:27:17 UTC
but if hwe has Runas ALL , could he not just become root and then use "su user"?
Comment 2 giorgio oppo 2019-12-31 12:16:39 UTC
(In reply to Marcus Meissner from comment #1)
> but if hwe has Runas ALL , could he not just become root and then use "su
> user"?
If there was a Black List policy, the vulnerability would remain. 
Ex. (ALL,!root)
Comment 3 Kristyna Streitova 2020-02-06 18:57:28 UTC
This issue is marked as disputed [1]:

"** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash."


The only relevant upstream commit is [2] that adds runas_check_shell flag to require a runas user to have a valid shell. It's not enabled by default though. Also, the patch is quite extensive so backporting would be probably problematic.

How do we want to treat this issue?


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234
[2] https://www.sudo.ws/repos/sudo/rev/ed6db31729cd
Comment 4 Marcus Meissner 2020-02-07 13:05:06 UTC
Similar to sudo upstream we currently do not consider it as a security issue
and are not planning to fix it.