Bug 866503 - (CVE-2014-0106) VUL-1: CVE-2014-0106: sudo: flaw without env_reset in older versions
(CVE-2014-0106)
VUL-1: CVE-2014-0106: sudo: flaw without env_reset in older versions
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Vítězslav Čížek
Security Team bot
maint:running:56677:important maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-03 10:19 UTC by Marcus Meissner
Modified: 2014-09-01 11:21 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 SMASH SMASH 2014-03-03 12:15:12 UTC
Affected packages:

SLE-11-SP3: sudo
SLE-10-SP3-TERADATA: sudo
SLE-11-SP2: sudo
Comment 2 Swamp Workflow Management 2014-03-03 23:00:27 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-03-06 06:24:01 UTC
public via oss-sec

From: "Todd C. Miller" <Todd.Miller@courtesan.com>
To: oss-security@lists.openwall.com
Date: Wed, 05 Mar 2014 20:29:10 -0700
Subject: [oss-security] sudo: security policy bypass when env_reset is disabled

Summary:
    If the env_reset option is disabled in the sudoers file, a
    malicious user with sudo permissions may be able to run arbitrary
    commands with elevated privileges by manipulating the environment
    of a command the user is legitimately allowed to run.

Sudo versions affected:
    Sudo 1.6.9 through 1.8.4p5 inclusive.  Sudo 1.8.5 and higher
    are not affected.

CVE ID:
    This vulnerability has been assigned CVE-2014-0106 in the Common
    Vulnerabilities and Exposures database.

Details:
    Sudo has two methods of constructing the environment that the
    command run by it will use.  The default method (since sudo
    1.6.9) is to execute the command with a new, minimal environment.
    The new environment contains the TERM, PATH, HOME, MAIL, SHELL,
    LOGNAME, USER, USERNAME, SUDO_COMMAND, SUDO_USER, SUDO_UID and
    SUDO_GID variables in addition to variables from the invoking
    process permitted by the env_check and env_keep options.  This
    is effectively a whitelist for environment variables.

    If, however, the env_reset option is disabled, any variables
    not explicitly denied by the env_check and env_delete options
    are inherited from the invoking process.  In this case, env_check
    and env_delete behave like a blacklist.  Since it is not possible
    to blacklist all potentially dangerous environment variables,
    use of the default env_reset behavior is encouraged.

    Beginning with sudo 1.6.9, it is also possible to specify extra
    environment variables on the command line.  These variables are
    supposed to be subject to the same restrictions as the invoking
    user's environment, unless the user is allowed to set arbitrary
    variables either via the SETENV attribute or by virtue of having
    sudo "ALL".

    Due to a logic bug in the validate_env_vars() function, if the
    env_reset option is disabled, environment variables specified
    on the command line are permitted when they should not be (and
    vice versa).  This can be used by a malicious user to run
    arbitrary programs by manipulating the environment of a command
    the user is legitimately allowed to run.  For example, on many
    systems the LD_PRELOAD environment variable is used to load a
    dynamic shared object before any shared libraries are loaded.
    By either replacing a library function called by the program,
    or by including an _init() function in the shared object, the
    user can execute arbitrary commands with elevated privileges.

    The code that contains the bug was rewritten for sudo 1.8.5,
    which does not suffer from the same security issue.

Impact:
    For sudo versions prior to 1.8.5, if the env_reset option is
    explicitly disabled in the sudoers file, a malicious user with
    sudo permissions may be able to run arbitrary commands with
    elevated privileges.  There is no impact for sudo 1.8.5 and
    higher, or when the sudoers file does not disable env_reset.

Fix:
    A fix for the sudo 1.7.x branch is included in sudo 1.7.10p8.
    The actual fix is a single line change to env.c:
        http://www.sudo.ws/repos/sudo/rev/748cefb49422
    Sudo versions 1.8.5 and higher are not vulnerable.

Workaround:
    Only systems with sudoers files that explicitly disable env_reset
    are affected.  As such, a simple workaround is to simply not
    disable env_reset, which is the default behavior.

Credit:
    I'd like to thank Sebastien Macke for reporting this bug and
    providing a fix.
Comment 4 Vítězslav Čížek 2014-03-06 15:13:06 UTC
Nothing to be done for openSUSE, both 12.3 and 13.1 ship sudo > 1.8.5.

Regarding SLE,
our sudo packages default to "env_reset" so this bug shouldn't be much of a problem anyway. But I guess you know that already.
Comment 5 Marcus Meissner 2014-03-06 15:40:21 UTC
yes, i would keep it on the planned update list and not start an update right now.
Comment 10 Swamp Workflow Management 2014-04-03 11:04:20 UTC
Update released for: sudo, sudo-debuginfo, sudo-debugsource
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 11 Swamp Workflow Management 2014-04-03 14:10:33 UTC
Update released for: sudo, sudo-debuginfo, sudo-debugsource
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 12 Swamp Workflow Management 2014-04-03 18:04:36 UTC
SUSE-SU-2014:0475-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 863025,866503,868444
CVE References: CVE-2014-0106
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    sudo-1.7.6p2-0.21.1
SUSE Linux Enterprise Server 11 SP3 (src):    sudo-1.7.6p2-0.21.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    sudo-1.7.6p2-0.21.1
Comment 13 Swamp Workflow Management 2014-05-31 08:04:23 UTC
openSUSE-SU-2014:0737-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 866503
CVE References: CVE-2014-0106
Sources used:
openSUSE 11.4 (src):    sudo-1.7.6p2-0.23.1
Comment 14 Marcus Meissner 2014-09-01 11:21:57 UTC
seems released