If the env_reset option is disabled in the sudoers file, a malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run.
Sudo versions affected: Sudo 1.6.9 through 1.8.4p5 inclusive. Sudo 1.8.5 and higher are not affected.
CVE ID: This vulnerability has been assigned CVE-2014-0106 in the Common Vulnerabilities and Exposures database.
... ➦Authentication bypass when clock is reset
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user’s time stamp file can be reset using sudo -k or removed altogether via sudo -K.
A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running sudo -k and then setting the clock to the epoch (1970-01-01 01:00:00).
... ➦Potential bypass of tty_tickets constraints
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default).
This time stamp file can either be common to all of a user’s terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the tty_tickets option in the sudoers file.
... ➦IP addresses in sudoers with netmask may match additional hosts
A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers.
... ➦Sudo format string vulnerability
A flaw exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges.
Sudo versions affected: 1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected.
CVE ID: This vulnerability has been assigned CVE-2012-0809 in the Common Vulnerabilities and Exposures database.
Details: Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins.
... ➦Flaw in Runas Group password checking
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo’s -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo’s password checking logic that allows a user to run a command with only the group changed without being prompted for a password.
Sudo versions affected: Sudo 1.7.0 through 1.7.4p4.
CVE ID: This vulnerability has been assigned CVE-2011-0010 in the Common Vulnerabilities and Exposures database.
... ➦Flaw in Runas group matching
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.
... ➦Sudo's secure path option can be circumvented
Sudo “secure path” feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the –with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the “secure path” restrictions.
... ➦Additional privilege escalation bug with sudoedit
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426.
Sudo versions affected: 1.6.8 through 1.7.2p5 inclusive.
CVE ID: This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database.
Details: When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit).
... ➦Privilege escalation bug with sudoedit
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.9 through 1.7.2p3 that may give a user with permission to run sudoedit the ability to run arbitrary commands.
Sudo versions affected: 1.6.9 through 1.7.2p3 inclusive.
CVE ID: This vulnerability has been assigned CVE-2010-0426 in the Common Vulnerabilities and Exposures database.
Details: When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit).
... ➦