[ESA-20010711-02] sudo elevated privileges vulnerability

From: EnGarde Secure Linux (securityat_private)
Date: Wed Jul 11 2001 - 10:41:01 PDT

  • Next message: Jonah Kowall: "Cold Fusion Vulnerability Patch Released" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   July 11, 2001 |
| http://www.engardelinux.org/                           ESA-20010711-02 |
|                                                                        |
| Package:  sudo                                                         |
| Summary:  Users in the 'admin' group can gain elevated privileges.     |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  The configuration file for the sudo package which shipped with EnGarde
  Secure Linux 1.0.1 can allow users in the 'admin' group to gain elevated
  privileges by leveraging certain commands.


DETAIL
- ------
  Ralf Hemmann has, via the engarde-users mailing list, brought a security
  issue with our default /etc/sudoers file to our attention.

  In EnGarde Secure Linux, users in the 'admin' group have more privileges
  then a normal user.  They are allowed to execute more commands (such as
  su(1)) and are allowed to read certain configuration files that non-admin
  users are not allowed to.

  One of these commands is the sudo command, which allows a normal user to
  execute a command with elevated privileges.  By default, any user in the
  'admin' group can run several commands as defined in the /etc/sudoers
  file.

  However, some of these commands can lead to a total root shell since
  they are running with root privileges.

  We do not deem this a major security issue as users listed in the 'admin'
  group are normally trusted users.  However "trusted" does not mean you
  want them to have full-blown root access, so we are issuing this
  advisory.  Environments where untrusted users may be a member of the
  'admin' group should implement the countermeasures outlined in this
  advisory to eliminate the threat of a user gaining root privileges
  without their knowledge.


SOLUTION
- --------
  We are not issuing updated packages to fix this problem, as the
  /etc/sudoers file is a configuration file which would not be replaced
  by an updated package.


  Solution 1:  No Action at All
  -----------------------------
    No action needs to be taken if you:

      a) trust all of the users in your 'admin' group; and

      b) understand the security implications of allowing them to run
         commands that can lead to them having elevated privileges.

    If both these are true, then no action is required.


  Solution 2:  Remove the sudo Package
  ------------------------------------
    If you do not use sudo, and do not think you ever will, then it is
    safe to remove the sudo package completely.

    Before removing the package, the machine must either:

      a) be booted into a "standard" kernel; or
      b) have LIDS disabled.

    To disable LIDS, execute the command:

      # /sbin/lidsadm -S -- -LIDS

    To remove sudo, execute the command:

      # rpm -e sudo

    To reload the LIDS configuration, execute the command:

      # /usr/sbin/config_lids.pl

    To re-enable LIDS (if it was disabled), execute the command:

      # /sbin/lidsadm -S -- +LIDS

    The sudo package is now removed, and the issue is closed.


  Solution 3:  Remove the 'admin' Group Privileges
  ------------------------------------------------
    This solution to the problem uses the visudo(8) command to edit the
    /etc/sudoers file.  Please note that you will be brought in to vi(1)
    by default.  If you are not comfortable using vi then we recommend
    you change your EDITOR environment variable to pico(1) by typing:

      # export EDITOR=pico

    To remove admin privileges completely, execute the command:

      # visudo

    Now comment out or remove the line "%admin  ALL=ADMINCMDS, NETCMDS"
    from the user privilege specification.  This line should be the last
    line in the file.  The changes will take effect when you exit the
    editor, saving your changes.


UPDATED PACKAGES
- ----------------
  There are no updated packages at this time.


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Ralf Hemmann <ralfat_private>

  sudo's Official Web Site:
    http://www.courtesan.com/sudo/

  Security Contact:    securityat_private
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20010711-02-sudo,v 1.5 2001/07/11 16:56:28 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryanat_private> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7TI+3HD5cqd57fu0RAuWzAJ4yLpK/w9c2brddafxVScRAFyFFugCcDcxr
adpkjUmqTvdF70Dl5HK7DyM=
=UFxX
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 16:56:21 PDT