oss-sec mailing list archives

sudo: IP addresses in sudoers with netmask may match additional hosts (CVE-2012-2337)


From: Solar Designer <solar () openwall com>
Date: Fri, 18 May 2012 15:57:26 +0400

Hi,

(I was hoping someone else would bring this in here once it became public.)

A sudo advisory was published by upstream and corrected versions were
released on 2012-05-16:

http://www.sudo.ws/sudo/alerts/netmask.html

"Summary:
A flaw exists in the IP network matching code in sudo versions 1.6.9p3
through 1.8.4p4 that may result in the local host being matched even
though it is not actually part of the network described by the IP
address and associated netmask listed in the sudoers file or in LDAP.
As a result, users authorized to run commands on certain IP networks may
be able to run commands on hosts that belong to other networks not
explicitly listed in sudoers.

Sudo versions affected:
Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected.  The bug
only has an effect when the sudoers file (or LDAP sudoers data) using a
host specification that grants permissions using an IP address with an
associated netmask, e.g. 10.0.1.0/255.255.255.0 or 10.0.2.0/24."

This is CVE-2012-2337.

Red Hat Bugzilla entries:

https://bugzilla.redhat.com/show_bug.cgi?id=820677
https://bugzilla.redhat.com/show_bug.cgi?id=822175

Ubuntu advisory:

http://www.ubuntu.com/usn/usn-1442-1/

Debian tracking:

http://security-tracker.debian.org/tracker/CVE-2012-2337

Alexander


Current thread: