ID CVE-2014-9680
Summary sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
References
Vulnerable Configurations
  • cpe:2.3:a:sudo_project:sudo:1.8.11:p2
    cpe:2.3:a:sudo_project:sudo:1.8.11:p2
CVSS
Base: 2.1 (as of 04-05-2017 - 15:10)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3167.NASL
    description Jakub Wilk reported that sudo, a program designed to provide limited super user privileges to specific users, preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The later could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block.
    last seen 2018-09-01
    modified 2018-01-29
    plugin id 81426
    published 2015-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81426
    title Debian DSA-3167-1 : sudo - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0985-1.NASL
    description This update for sudo provides the following fixes : Handle TZ environment variable safely. (CVE-2014-9680, bnc#917806) Do not truncate long commands (131072 or more characters) without any warning. (bnc#901145) Create log files with ownership set to user and group 'root'. (bnc#904694) Close PAM session properly. (bnc#880764) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-02
    plugin id 83971
    published 2015-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83971
    title SUSE SLED11 / SLES11 Security Update : sudo (SUSE-SU-2015:0985-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150722_SUDO_ON_SL6_X.NASL
    description It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680) Note: The default sudoers configuration in Scientific Linux 6 removes the TZ variable from the environment in which commands run by sudo are executed. This update also fixes the following bugs : - Previously, the sudo utility child processes could sometimes become unresponsive because they ignored the SIGPIPE signal. With this update, SIGPIPE handler is properly restored in the function that reads passwords from the user, and the child processes no longer ignore SIGPIPE. As a result, sudo child processes do not hang in this situation. - Prior to this update, the order in which sudo rules were processed did not honor the user-defined sudoOrder attribute. Consequently, sudo rules were processed in an undefined order even when the user defined the order in sudoOrder. The implementation of SSSD support in sudo has been modified to sort the rules according to the sudoOrder value, and sudo rules are now sorted in the order defined by the user in sudoOrder. - Previously, sudo became unresponsive after the user issued a command when a sudoers source was mentioned multiple times in the /etc/nsswitch.conf file. The problem occurred when nsswitch.conf contained, for example, the 'sudoers: files sss sss' entry. The sudoers source processing code has been fixed to correctly handle multiple instances of the same sudoers source. As a result, sudo no longer hangs when a sudoers source is mentioned multiple times in /etc/nsswitch.conf. In addition, this update adds the following enhancement : - The sudo utility now supports I/O logs compressed using the zlib library. With this update, sudo can generate zlib compressed I/O logs and also process zlib compressed I/O logs generated by other versions of sudo with zlib support.
    last seen 2018-09-01
    modified 2018-01-26
    plugin id 85207
    published 2015-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85207
    title Scientific Linux Security Update : sudo on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1409.NASL
    description From Red Hat Security Advisory 2015:1409 : Updated sudo packages that fix one security issue, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680) Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed. This update also fixes the following bugs : * Previously, the sudo utility child processes could sometimes become unresponsive because they ignored the SIGPIPE signal. With this update, SIGPIPE handler is properly restored in the function that reads passwords from the user, and the child processes no longer ignore SIGPIPE. As a result, sudo child processes do not hang in this situation. (BZ#1094548) * Prior to this update, the order in which sudo rules were processed did not honor the user-defined sudoOrder attribute. Consequently, sudo rules were processed in an undefined order even when the user defined the order in sudoOrder. The implementation of SSSD support in sudo has been modified to sort the rules according to the sudoOrder value, and sudo rules are now sorted in the order defined by the user in sudoOrder. (BZ#1138581) * Previously, sudo became unresponsive after the user issued a command when a sudoers source was mentioned multiple times in the /etc/nsswitch.conf file. The problem occurred when nsswitch.conf contained, for example, the 'sudoers: files sss sss' entry. The sudoers source processing code has been fixed to correctly handle multiple instances of the same sudoers source. As a result, sudo no longer hangs when a sudoers source is mentioned multiple times in /etc/nsswitch.conf. (BZ#1147498) In addition, this update adds the following enhancement : * The sudo utility now supports I/O logs compressed using the zlib library. With this update, sudo can generate zlib compressed I/O logs and also process zlib compressed I/O logs generated by other versions of sudo with zlib support. (BZ#1106433) All sudo users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.
    last seen 2018-09-01
    modified 2018-07-26
    plugin id 85104
    published 2015-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85104
    title Oracle Linux 6 : sudo (ELSA-2015-1409)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2533-1.NASL
    description Jakub Wilk and Stephane Chazelas discovered that Sudo incorrectly handled the TZ environment variable. An attacker with Sudo access could possibly use this issue to open arbitrary files, bypassing intended permissions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 81881
    published 2015-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81881
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : sudo vulnerability (USN-2533-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0103.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - RHEL-6.7 erratum - modified the authlogicfix patch to fix #1144448 - fixed a bug in the ldapusermatchfix patch Resolves: rhbz#1144448 Resolves: rhbz#1142122 - RHEL-6.7 erratum - fixed the mantypos-ldap.patch Resolves: rhbz#1138267 - RHEL-6.7 erratum - added patch for (CVE-2014-9680) - added BuildRequires for tzdata Resolves: rhbz#1200253 - RHEL-6.7 erratum - added zlib-devel build required to enable zlib compression support - fixed two typos in the sudoers.ldap man page - fixed a hang when duplicate nss entries are specified in nsswitch.conf - SSSD: implemented sorting of the result entries according to the sudoOrder attribute - LDAP: fixed logic handling the computation of the 'user matched' flag - fixed restoring of the SIGPIPE signal in the tgetpass function - fixed listpw, verifypw + authenticate option logic in LDAP/SSSD Resolves: rhbz#1106433 Resolves: rhbz#1138267 Resolves: rhbz#1147498 Resolves: rhbz#1138581 Resolves: rhbz#1142122 Resolves: rhbz#1094548 Resolves: rhbz#1144448 - RHEL-6.6 erratum - SSSD: dropped the ipahostnameshort patch, as it is not needed. rhbz#1033703 is a configuration issue. Related: rhbz#1033703 - RHEL-6.6 erratum - SSSD: fixed netgroup filter patch - SSSD: dropped serparate patch for #1006463, the fix is now part of the netgroup filter patch Resolves: rhbz#1006463 Resolves: rhbz#1083064 - RHEL-6.6 erratum - don't retry authentication when ctrl-c pressed - fix double-quote processing in Defaults options - fix sesh login shell argv[0] - handle the '(none)' hostname correctly - SSSD: fix ipa_hostname handling - SSSD: fix sudoUser netgroup specification filtering - SSSD: list correct user when -U -l specified - SSSD: show rule names on long listing (-ll) Resolves: rhbz#1065415 Resolves: rhbz#1078338 Resolves: rhbz#1052940 Resolves: rhbz#1083064 Resolves: rhbz#1033703 Resolves: rhbz#1006447 Resolves: rhbz#1006463 Resolves: rhbz#1070952
    last seen 2018-09-02
    modified 2018-07-25
    plugin id 85144
    published 2015-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85144
    title OracleVM 3.3 : sudo (OVMSA-2015-0103)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-2281.NASL
    description - update to 1.8.12 - fixes CVE-2014-9680 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-01-30
    plugin id 81431
    published 2015-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81431
    title Fedora 21 : sudo-1.8.12-1.fc21 (2015-2281)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-160.NASL
    description This update fixes the CVEs described below. CVE-2014-0106 Todd C. Miller reported that if the env_reset option is disabled in the sudoers file, the env_delete option is not correctly applied to environment variables specified on the command line. A malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run. CVE-2014-9680 Jakub Wilk reported that sudo preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The latter could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block. For the oldstable distribution (squeeze), these problems have been fixed in version 1.7.4p4-2.squeeze.5. For the stable distribution (wheezy), they have been fixed in version 1.8.5p2-1+nmu2. We recommend that you upgrade your sudo packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-06
    plugin id 82144
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82144
    title Debian DLA-160-1 : sudo security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-2247.NASL
    description - update to 1.8.12 - fixes CVE-2014-9680 Update to 1.8.11p2 Major upstream changes & fixes : - when running a command in the background, sudo will now forward SIGINFO to the command - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support - it is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt for the user's password even if the targetpw, rootpw or runaspw options are set. - the new use_netgroups sudoers option can be used to explicitly enable or disable netgroups support - visudo can now export a sudoers file in JSON format using the new -x flag Distribution specific changes : - added patch to read ldap.conf more closely to nss_ldap - require /usr/bin/vi instead of vim-minimal - include pam.d/system-auth in PAM session phase from pam.d/sudo - include pam.d/sudo in PAM session phase from pam.d/sudo-i Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-01-30
    plugin id 81458
    published 2015-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81458
    title Fedora 20 : sudo-1.8.12-1.fc20 (2015-2247)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-703.NASL
    description sudo was updated to fix one security issue. This security issue was fixed : - CVE-2014-9680: Unsafe handling of TZ environment variable (bsc#917806).
    last seen 2018-09-01
    modified 2018-01-26
    plugin id 86738
    published 2015-11-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86738
    title openSUSE Security Update : sudo (openSUSE-2015-703)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2904-1.NASL
    description This update for sudo fixes the following security issues : - Fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality : - noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766] - noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501] - Fix unsafe handling of TZ environment variable. [CVE-2014-9680, bsc#917806] Additionally, these non-security fixes are included in the update : - Fix 'ignoring time stamp from the future' message after each boot with !tty_tickets. [bsc#899252] - Enable support for SASL-based authentication. [bsc#979531] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 95317
    published 2016-11-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95317
    title SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2016:2904-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1402.NASL
    description This update for sudo fixes the following security issues : - Fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality : - noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766] - noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501] - Fix unsafe handling of TZ environment variable. [CVE-2014-9680, bsc#917806] Additionally, these non-security fixes are included in the update : - Fix 'ignoring time stamp from the future' message after each boot with !tty_tickets. [bsc#899252] - Enable support for SASL-based authentication. [bsc#979531] This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 95556
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95556
    title openSUSE Security Update : sudo (openSUSE-2016-1402)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-047-03.NASL
    description New sudo packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 81388
    published 2015-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81388
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : sudo (SSA:2015-047-03)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-687.NASL
    description sudo was updated to fix one security issue. This security issue was fixed : - CVE-2014-9680: Unsafe handling of TZ environment variable (bsc#917806).
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 86956
    published 2015-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86956
    title openSUSE Security Update : sudo (openSUSE-2015-687)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201504-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-201504-02 (sudo: Information disclosure) sudo does not handle the TZ environment variable properly. Impact : A local attacker may be able to read arbitrary files or information from device special files. Workaround : There is no known workaround at this time.
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 82732
    published 2015-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82732
    title GLSA-201504-02 : sudo: Information disclosure
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-126.NASL
    description Updated sudo packages fix security vulnerability : Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block (CVE-2014-9680). The sudo package has been updated to version 1.8.12, fixing this issue and several other bugs.
    last seen 2018-09-02
    modified 2018-07-19
    plugin id 82379
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82379
    title Mandriva Linux Security Advisory : sudo (MDVSA-2015:126)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_5.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-02
    modified 2018-07-16
    plugin id 85408
    published 2015-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85408
    title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1381.NASL
    description This update for sudo fixes the following issues : - fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality : - noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766] - noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501] Sudo was updated to the package from SUSE:SLE-12-SP2:Update, incorporating the following new feature : - allow dynamic groups with sudo [fate#318850] The following bug fixes are included : - parse /proc/stat for boottime correctly [boo#899252] - enable SASL authentication [boo#979531]
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 95533
    published 2016-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95533
    title openSUSE Security Update : sudo (openSUSE-2016-1381)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1409.NASL
    description Updated sudo packages that fix one security issue, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680) Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed. This update also fixes the following bugs : * Previously, the sudo utility child processes could sometimes become unresponsive because they ignored the SIGPIPE signal. With this update, SIGPIPE handler is properly restored in the function that reads passwords from the user, and the child processes no longer ignore SIGPIPE. As a result, sudo child processes do not hang in this situation. (BZ#1094548) * Prior to this update, the order in which sudo rules were processed did not honor the user-defined sudoOrder attribute. Consequently, sudo rules were processed in an undefined order even when the user defined the order in sudoOrder. The implementation of SSSD support in sudo has been modified to sort the rules according to the sudoOrder value, and sudo rules are now sorted in the order defined by the user in sudoOrder. (BZ#1138581) * Previously, sudo became unresponsive after the user issued a command when a sudoers source was mentioned multiple times in the /etc/nsswitch.conf file. The problem occurred when nsswitch.conf contained, for example, the 'sudoers: files sss sss' entry. The sudoers source processing code has been fixed to correctly handle multiple instances of the same sudoers source. As a result, sudo no longer hangs when a sudoers source is mentioned multiple times in /etc/nsswitch.conf. (BZ#1147498) In addition, this update adds the following enhancement : * The sudo utility now supports I/O logs compressed using the zlib library. With this update, sudo can generate zlib compressed I/O logs and also process zlib compressed I/O logs generated by other versions of sudo with zlib support. (BZ#1106433) All sudo users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.
    last seen 2018-09-09
    modified 2018-09-07
    plugin id 84943
    published 2015-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84943
    title RHEL 6 : sudo (RHSA-2015:1409)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1409.NASL
    description Updated sudo packages that fix one security issue, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. (CVE-2014-9680) Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed. This update also fixes the following bugs : * Previously, the sudo utility child processes could sometimes become unresponsive because they ignored the SIGPIPE signal. With this update, SIGPIPE handler is properly restored in the function that reads passwords from the user, and the child processes no longer ignore SIGPIPE. As a result, sudo child processes do not hang in this situation. (BZ#1094548) * Prior to this update, the order in which sudo rules were processed did not honor the user-defined sudoOrder attribute. Consequently, sudo rules were processed in an undefined order even when the user defined the order in sudoOrder. The implementation of SSSD support in sudo has been modified to sort the rules according to the sudoOrder value, and sudo rules are now sorted in the order defined by the user in sudoOrder. (BZ#1138581) * Previously, sudo became unresponsive after the user issued a command when a sudoers source was mentioned multiple times in the /etc/nsswitch.conf file. The problem occurred when nsswitch.conf contained, for example, the 'sudoers: files sss sss' entry. The sudoers source processing code has been fixed to correctly handle multiple instances of the same sudoers source. As a result, sudo no longer hangs when a sudoers source is mentioned multiple times in /etc/nsswitch.conf. (BZ#1147498) In addition, this update adds the following enhancement : * The sudo utility now supports I/O logs compressed using the zlib library. With this update, sudo can generate zlib compressed I/O logs and also process zlib compressed I/O logs generated by other versions of sudo with zlib support. (BZ#1106433) All sudo users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.
    last seen 2018-09-01
    modified 2018-07-03
    plugin id 85017
    published 2015-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85017
    title CentOS 6 : sudo (CESA-2015:1409)
redhat via4
advisories
bugzilla
id 1191144
title CVE-2014-9680 sudo: unsafe handling of TZ environment variable
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment sudo is earlier than 0:1.8.6p3-19.el6
        oval oval:com.redhat.rhsa:tst:20151409007
      • comment sudo is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110599006
    • AND
      • comment sudo-devel is earlier than 0:1.8.6p3-19.el6
        oval oval:com.redhat.rhsa:tst:20151409005
      • comment sudo-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20131701008
rhsa
id RHSA-2015:1409
released 2015-07-22
severity Moderate
title RHSA-2015:1409: sudo security, bug fix, and enhancement update (Moderate)
rpms
  • sudo-0:1.8.6p3-19.el6
  • sudo-devel-0:1.8.6p3-19.el6
refmap via4
confirm http://www.sudo.ws/alerts/tz.html
gentoo GLSA-201504-02
mlist [oss-security] 20141016 Abusing TZ for fun (and little profit)
sectrack 1033158
Last major update 04-05-2017 - 17:09
Published 24-04-2017 - 02:59
Last modified 04-01-2018 - 21:29
Back to Top