Skip to content

OSG-SEC-2023-01-24 HIGH sudoedit privilege escalation

Dear OSG Security Contacts,

A vulnerability was found in the sudo package (CVE-2023-22809) [8]. An exposure in how sudoedit handles user-provided environment variables can lead to arbitrary file writing with privileges of the RunAs user (usually root) [7].

IMPACTED VERSIONS:

Sudo versions 1.8.0 through 1.9.12.p1

WHAT ARE THE VULNERABILITIES:

In Sudo, before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

WHAT YOU SHOULD DO:

Install the updated sudo packages for your systems. Patched packages are available for all RHEL versions and most other major distributions.

Alternatively, the problem may be mitigated[8]. It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file:

Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"

To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example:

Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD

Even if applying the mitigation, the affected packages should still be updated as soon as possible.

Sites running RHEL should see [1]

Sites running CentOS should also see [1]

Sites running Ubuntu should see [2]

Sites running Scientific Linux should see [3]

Sites running Debian should see [4]

Sites running RockyLinux should see [5]

Sites running Almalinux should see [6]

REFERENCES

[1] https://access.redhat.com/errata/RHSA-2023:0291

[2] https://ubuntu.com/security/notices/USN-5811-1

[3] https://www.scientificlinux.org/category/sl-errata/

[4] https://security-tracker.debian.org/tracker

[5] https://errata.rockylinux.org/

[6] https://errata.almalinux.org/

[7] https://bugzilla.redhat.com/show_bug.cgi?id=2161142

[8] https://access.redhat.com/security/cve/CVE-2023-22809

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team