9
CVSSv2

CVE-2019-14287

Published: 17/10/2019 Updated: 23/10/2019
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

In Sudo prior to 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

Vulnerability Trend

Affected Products

Vendor Product Versions
NetappElement Software Management Node-
Sudo ProjectSudo1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.8.25, 1.8.26, 1.8.27
CanonicalUbuntu Linux12.04, 14.04, 16.04, 18.04, 19.04
DebianDebian Linux8.0, 9.0, 10
FedoraprojectFedora30, 31
OpensuseLeap15.0, 15.1

Vendor Advisories

Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 74 Advanced Update Support, Red Hat Enterprise Linux 74 Telco Extended Update Support, and Red Hat Enterprise Linux 74 Update Services for SAP Solutio ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 66 Advanced Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 75 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Sudo could be made to run commands as root if it called with a specially crafted user ID ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 76 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 73 Advanced Update Support, Red Hat Enterprise Linux 73 Telco Extended Update Support, and Red Hat Enterprise Linux 73 Update Services for SAP Solutio ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 72 Advanced Update Support, Red Hat Enterprise Linux 72 Telco Extended Update Support, and Red Hat Enterprise Linux 72 Update Services for SAP Solutio ...
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295 This could allow a user with sufficient sudo pri ...
Debian Bug report logs - #942322 sudo: CVE-2019-14287: Potential bypass of Runas user restrictions Package: src:sudo; Maintainer for src:sudo is Bdale Garbee <bdale@gagcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 14 Oct 2019 14:57:02 UTC Severity: grave Tags: security, upstream Found in ve ...
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295 This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root acc ...
Arch Linux Security Advisory ASA-201910-9 ========================================= Severity: High Date : 2019-10-16 CVE-ID : CVE-2019-14287 Package : sudo Type : arbitrary code execution Remote : No Link : securityarchlinuxorg/AVG-1047 Summary ======= The package sudo before version 1828-1 is vulnerable to arbitrary code ...
A flaw was found in the way sudo implemented running commands with arbitrary user ID If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction ...
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295 This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root acc ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] sudo (SSA:2019-287-01) New sudo packages are available for Slackware 140, 141, 142, and -current to fix a security issue Here are the details from the Slackware 142 ChangeLog: +--------------------------+ patches/packages/sudo-1828-i586-1_slack142txz: Upgraded Fixe ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 security () debian org wwwdebianorg/security/ Salvatore Bonaccorso October 14, 2019 wwwdebianorg/security/faq ...
In an effort to aid distros trying to backport the fix for CVE-2019-14287 to earlier sudo versions I've attached versions of the fix for sudo 185 and 1810 - todd diff -urN sudo-1810/common/atoidc sudo-1810patched/common/atoidc --- sudo-1810/common/atoidc Fri Mar 7 14:51:19 2014 +++ sudo-1810patched/common/atoidc Tue Oct 15 ...
Sudo 1828 has been today, October 14th, 2019 which includes a fix for the following security-related issue which has been assigned CVE-2019-14287 The information below is also available at wwwsudows/alerts/minus_1_uidhtml Potential bypass of Runas user restrictions Summary: When sudo is configured to allow a user to run commands as ...

Recent Articles

Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard)
The Register • Chris Williams, Editor in Chief • 14 Oct 2019

All it takes is -u#-1 ... Wh%& t#e fsck*?

It's only Monday, and we already have a contender for the bug of the week.
Linux users who are able to run commands as other users, via the sudoer mechanism, though not as the all-powerful root user, can still run commands as root, thanks to a fascinating coding screw-up.
This security vulnerability, assigned CVE-2019-14287, is more interesting than scary: it requires a system to have a non-standard configuration. In other words, Linux computers are not vulnerable by default.
H...

References

CWE-20http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.htmlhttp://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.htmlhttp://www.openwall.com/lists/oss-security/2019/10/14/1http://www.openwall.com/lists/oss-security/2019/10/24/1http://www.openwall.com/lists/oss-security/2019/10/29/3https://access.redhat.com/errata/RHSA-2019:3197https://access.redhat.com/errata/RHSA-2019:3204https://access.redhat.com/errata/RHSA-2019:3205https://access.redhat.com/errata/RHSA-2019:3209https://access.redhat.com/errata/RHSA-2019:3219https://access.redhat.com/errata/RHSA-2019:3278https://lists.debian.org/debian-lts-announce/2019/10/msg00022.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/https://seclists.org/bugtraq/2019/Oct/20https://seclists.org/bugtraq/2019/Oct/21https://security.netapp.com/advisory/ntap-20191017-0003/https://support.f5.com/csp/article/K53746212?utm_source=f5support&utm_medium=RSShttps://usn.ubuntu.com/4154-1/https://www.debian.org/security/2019/dsa-4543https://www.openwall.com/lists/oss-security/2019/10/15/2https://www.sudo.ws/alerts/minus_1_uid.htmlhttps://access.redhat.com/errata/RHSA-2019:3197https://usn.ubuntu.com/4154-1/https://nvd.nist.govhttps://exchange.xforce.ibmcloud.com/vulnerabilities/168933