If the env_reset option is disabled in the sudoers file, a malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run.

Sudo 1.6.9 through 1.8.4p5 inclusive. Sudo 1.8.5 and higher are not affected.

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user’s time stamp file can be reset using sudo -k or removed altogether via sudo -K.

A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running sudo -k and then setting the clock to the epoch (1970-01-01 01:00:00).

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default).

This time stamp file can either be common to all of a user’s terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the tty_tickets option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user’s sessions.

A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers.

A flaw exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges.

1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected.

This vulnerability has been assigned CVE-2012-0809 in the Common Vulnerabilities and Exposures database.

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo’s -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo’s password checking logic that allows a user to run a command with only the group changed without being prompted for a password.

Sudo 1.7.0 through 1.7.4p4.

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

Sudo “secure path” feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the –with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the “secure path” restrictions.

A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426.

1.6.8 through 1.7.2p5 inclusive.

This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database.

A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.9 through 1.7.2p3 that may give a user with permission to run sudoedit the ability to run arbitrary commands.

1.6.9 through 1.7.2p3 inclusive.

This vulnerability has been assigned CVE-2010-0426 in the Common Vulnerabilities and Exposures database.