ASA-201910-9 - log back

ASA-201910-9 edited at 16 Oct 2019 17:30:00
Workaround
- This vulnerability only affects configurations of sudo that have a runas user list that includes an exclusion of root. The most simple example is:
+ This vulnerability only affects configurations of sudo that have a
+ runas user list that includes an exclusion of root. The most simple
+ example is:
someuser ALL=(ALL, !root) /usr/bin/somecommand
- The exclusion is specified using an excalamation mark (!). In this example, the "root" user is specified by name. The root user may also be identified in other ways, such as by user id:
+ The exclusion is specified using an excalamation mark (!). In this
+ example, the "root" user is specified by name. The root user may also
+ be identified in other ways, such as by user id:
someuser ALL=(ALL, !#0) /usr/bin/somecommand
or by reference to a runas alias:
Runas_Alias MYGROUP = root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
- To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.
+ To ensure your sudoers configuration is not affected by this
+ vulnerability, we recommend examining each sudoers entry that includes
+ the `!` character in the runas specification, to ensure that the root
+ user is not among the exclusions. These can be found in the
+ /etc/sudoers file or files under /etc/sudoers.d.
ASA-201910-9 edited at 16 Oct 2019 15:33:20
Workaround
+ This vulnerability only affects configurations of sudo that have a runas user list that includes an exclusion of root. The most simple example is:
+
+ someuser ALL=(ALL, !root) /usr/bin/somecommand
+
+ The exclusion is specified using an excalamation mark (!). In this example, the "root" user is specified by name. The root user may also be identified in other ways, such as by user id:
+
+ someuser ALL=(ALL, !#0) /usr/bin/somecommand
+
+ or by reference to a runas alias:
+
+ Runas_Alias MYGROUP = root, adminuser
+ someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
+
+ To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.
Impact
+ A local attacker is able to gain root privileges when sudo is configured to have a runas user list that includes an exclusion of root.
ASA-201910-9 edited at 16 Oct 2019 15:28:43
ASA-201910-9 created at 16 Oct 2019 12:52:09