ID CVE-2010-2956
Summary Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.
References
Vulnerable Configurations
  • Todd Miller Sudo 1.7.0
    cpe:2.3:a:todd_miller:sudo:1.7.0
  • Todd Miller Sudo 1.7.1
    cpe:2.3:a:todd_miller:sudo:1.7.1
  • Todd Miller Sudo 1.7.2
    cpe:2.3:a:todd_miller:sudo:1.7.2
  • Todd Miller Sudo 1.7.2p1
    cpe:2.3:a:todd_miller:sudo:1.7.2p1
  • Todd Miller Sudo 1.7.2p2
    cpe:2.3:a:todd_miller:sudo:1.7.2p2
  • Todd Miller Sudo 1.7.2p3
    cpe:2.3:a:todd_miller:sudo:1.7.2p3
  • Todd Miller Sudo 1.7.2p4
    cpe:2.3:a:todd_miller:sudo:1.7.2p4
  • Todd Miller Sudo 1.7.2p5
    cpe:2.3:a:todd_miller:sudo:1.7.2p5
  • Todd Miller Sudo 1.7.2p6
    cpe:2.3:a:todd_miller:sudo:1.7.2p6
  • Todd Miller Sudo 1.7.2p7
    cpe:2.3:a:todd_miller:sudo:1.7.2p7
  • Todd Miller Sudo 1.7.3b1
    cpe:2.3:a:todd_miller:sudo:1.7.3b1
  • Todd Miller Sudo 1.7.4
    cpe:2.3:a:todd_miller:sudo:1.7.4
  • Todd Miller Sudo 1.7.4p1
    cpe:2.3:a:todd_miller:sudo:1.7.4p1
  • Todd Miller Sudo 1.7.4p2
    cpe:2.3:a:todd_miller:sudo:1.7.4p2
  • Todd Miller Sudo 1.7.4p3
    cpe:2.3:a:todd_miller:sudo:1.7.4p3
CVSS
Base: 6.2 (as of 13-09-2010 - 15:34)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201009-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201009-03 (sudo: Privilege Escalation) Multiple vulnerabilities have been reported in sudo: Evan Broder and Anders Kaseorg of Ksplice, Inc. reported that the sudo 'secure path' feature does not properly handle multiple PATH variables (CVE-2010-1646). Markus Wuethrich of Swiss Post reported that sudo fails to restrict access when using Runas groups and the group (-g) command line option (CVE-2010-2956). Impact : A local attacker could exploit these vulnerabilities to gain the ability to run certain commands with the privileges of other users, including root, depending on the configuration. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 49124
    published 2010-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49124
    title GLSA-201009-03 : sudo: Privilege Escalation
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0675.NASL
    description An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956) Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 49203
    published 2010-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49203
    title CentOS 5 : sudo (CESA-2010:0675)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100907_SUDO_ON_SL5_X.NASL
    description A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60854
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60854
    title Scientific Linux Security Update : sudo on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_SUDO-100907.NASL
    description sudo's handling of the -g command line option allowed to also specify -u in some cases, therefore allowing users to actually run commands as root (CVE-2010-2956).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75750
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75750
    title openSUSE Security Update : sudo (openSUSE-SU-2010:0591-1)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2011-0001_REMOTE.NASL
    description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries : - glibc - glibc-common - nscd - openldap - sudo
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89673
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89673
    title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0001) (remote check)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-175.NASL
    description A vulnerability has been found and corrected in sudo : Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a -u root sequence (CVE-2010-2956). The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 49205
    published 2010-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49205
    title Mandriva Linux Security Advisory : sudo (MDVSA-2010:175)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0675.NASL
    description An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956) Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 49128
    published 2010-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49128
    title RHEL 5 : sudo (RHSA-2010:0675)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_67B514C3BA8F11DF8F6E000C29A67389.NASL
    description Todd Miller reports : Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file. Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 49123
    published 2010-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49123
    title FreeBSD : sudo -- Flaw in Runas group matching (67b514c3-ba8f-11df-8f6e-000c29a67389)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2011-0001.NASL
    description a. Service Console update for glibc The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update. b. Service Console update for sudo The service console package sudo is updated to version 1.7.2p1-8.el5_5. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2956 to the issue addressed in this update. c. Service Console update for openldap The service console package openldap is updated to version 2.3.43-12.el5_5.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update.
    last seen 2019-02-21
    modified 2018-08-16
    plugin id 51422
    published 2011-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51422
    title VMSA-2011-0001 : VMware ESX third-party updates for Service Console packages glibc, sudo, and openldap
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0675.NASL
    description From Red Hat Security Advisory 2010:0675 : An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956) Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 68093
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68093
    title Oracle Linux 5 : sudo (ELSA-2010-0675)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-983-1.NASL
    description Markus Wuethrich discovered that sudo did not always verify the user when a group was specified in the Runas_Spec. A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use a program as a group when the attacker was not a part of that group. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 49140
    published 2010-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49140
    title Ubuntu 9.10 / 10.04 LTS : sudo vulnerability (USN-983-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-14355.NASL
    description - update to new upstream version - sudo now uses /var/db/sudo for timestamps - new command available: sudoreplay - use native audit support - corrected license field value: BSD -> ISC - added env_keep += HOME (see rhbz#614025) for backwards compatibility - added Defaults !visiblepw - fixes CVE-2010-2956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 49197
    published 2010-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49197
    title Fedora 13 : sudo-1.7.4p4-1.fc13 (2010-14355)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_SUDO-100907.NASL
    description sudo's handling of the -g command line option allowed to also specify -u in some cases, therefore allowing users to actually run commands as root (CVE-2010-2956).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 49168
    published 2010-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49168
    title openSUSE Security Update : sudo (openSUSE-SU-2010:0591-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-14996.NASL
    description - reset $HOME when the `-i' option is used - update to new upstream version - sudo now uses /var/db/sudo for timestamps - new command available: sudoreplay - use native audit support - corrected license field value: BSD -> ISC - added env_keep += HOME (see rhbz#614025) for backwards compatibility - added Defaults !visiblepw - fixes CVE-2010-2956 - use_pty option can be used to avoid the issue reported in #479145 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 49721
    published 2010-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49721
    title Fedora 12 : sudo-1.7.4p4-2.fc12 (2010-14996)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-14184.NASL
    description - update to new upstream version - sudo now uses /var/db/sudo for timestamps - new command available: sudoreplay - use native audit support - corrected license field value: BSD -> ISC - fixes CVE-2010-2956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 49240
    published 2010-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49240
    title Fedora 14 : sudo-1.7.4p4-1.fc14 (2010-14184)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-257-02.NASL
    description New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 49230
    published 2010-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49230
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 8.1 / 9.0 / 9.1 / current : sudo (SSA:2010-257-02)
redhat via4
advisories
bugzilla
id 628628
title CVE-2010-2956 sudo: incorrect handling of RunAs specification with both user and group lists
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • comment sudo is earlier than 0:1.7.2p1-8.el5_5
    oval oval:com.redhat.rhsa:tst:20100675002
  • comment sudo is signed with Red Hat redhatrelease key
    oval oval:com.redhat.rhsa:tst:20090267003
rhsa
id RHSA-2010:0675
released 2010-09-07
severity Important
title RHSA-2010:0675: sudo security update (Important)
rpms sudo-0:1.7.2p1-8.el5_5
refmap via4
bid 43019
bugtraq
  • 20101027 rPSA-2010-0075-1 sudo
  • 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
confirm
fedora FEDORA-2010-14355
gentoo GLSA-201009-03
mandriva MDVSA-2010:175
sectrack 1024392
secunia
  • 40508
  • 41316
  • 42787
suse SUSE-SR:2010:017
ubuntu USN-983-1
vupen
  • ADV-2010-2312
  • ADV-2010-2318
  • ADV-2010-2320
  • ADV-2010-2358
  • ADV-2011-0025
Last major update 21-01-2011 - 01:51
Published 10-09-2010 - 15:00
Last modified 10-10-2018 - 16:00
Back to Top