Re: race condition checking digests/checksums in sudoers

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> > http://www.sudo.ws/man/1.8.15/sudoers.man.html

> > If a command name is prefixed with a Digest_Spec, the command will
> > only match successfully if it can be verified using the specified
> > SHA-2 digest. This may be useful in situations where the user invoking
> > sudo has write access to the command or its parent directory.

> This results in a race condition if the digest functionality is used
> as suggested (in fact, the rules are matched before the user is
> prompted for a password, so you have quite some time to replace the
> binary from underneath sudo).

Our perspective is that the documentation is directly misleading, and
the product actually does not have a security feature for which
there's a reasonable expectation. We do assign a CVE ID in this type of
situation, and can do that later this week unless there's other
discussion.

As far as we know, the Digest_Spec feature can be useful if the user
invoking sudo doesn't have write access to the program file, but a
second (and potentially untrusted) user does have write access to the
program file. In the envisioned scenario, the second user is not
allowed to use sudo, the second user has no way to predict when anyone
else may use sudo, and the second user cannot use their write access
often. Thus, if the second user attempts a file-replacement attack,
the attack will almost certainly occur at an ineffective instant of
time, and the Digest_Spec feature will successfully prevent the
attacker's desired outcome.

However, the documentation is specifically about "the user invoking
sudo has write access." A reasonably experienced person reading the
documentation could easily conclude that sudo and the kernel cooperate
to ensure that the executed code is always exactly the same as the
code with the specified SHA-2 digest value. This person can't be
expected to guess that a race condition is considered OK because a
non-racy approach may be hard to implement.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWQlUYAAoJEL54rhJi8gl58pYP/iXOFLyMmGwHT8nhSCL9FoEK
+xP6MCf2vQjpjpAhi2kejNtji//qPGXCwDAAuBoXW9YRC30aGhBzuZqOQZxMFMqv
01x3m0Fm4A2cMyWA67VC50481WsiYGYHob8uld8h26VBY7VL9+s/TaUekMdKkTyq
yiczwH2kMu8QiHGjBlw5yyeEhSc+6V6gK7+YjX6nWCEQlvqjaorlOiUAfmYLfv5l
FPgj+WTssHR+gKaVmSuw+WqG4w6ukH9AVoOiMwej08mqAhttQmfcIZrmCNItUq8H
/t5vvbRYXpQz+KwwaQ0ENsMQDsquO9XnzGdHSmvrC0jbSRdNWCpsONal7DF8OVqi
8YzM24nulX6wWxgd2dAI/IBVvMO0A+SEbApikBrJPEdW9gZ/+SVG+nLethyirD22
xbBkP1PE49vfHuZaOCwR7D4A5oGl+wymbTg8D9ihD9Vq+9+Nedr3FrPZ9wTEMMha
+X+yRu/UeDHqGN3mkwCXNT2vKTLa/+cYi+opbRt7KVLVFB0XsYJrpHrKgvntRRTB
eo+HTmxX0ISWkWOTOeUy5zsDm6XcU/YYBylZpgkKJy3e8xcRKK8uUi0my25m3EaX
Akv0Zn5yTIgSz1+mEKFSFnhtX9KcAsExs0xwSu7qxrw8shCVoln4Y0JKWHPgfONw
XXNM7lVxJwW2dgvND1gE
=EaN/
-----END PGP SIGNATURE-----