Security vulnerability in sudo's netmask function patched
The developers of sudo have released updates to the privilege elevating utility to patch a bug that allows an attacker to execute commands that they should not be able to access on a remote system. Shortly after, they issued a regular update which includes these fixes along with several new features.
Sudo versions 1.8.4p5 and 1.7.9p1 fix a security issue in the program that can allow a legitimate user who is included in the sudoers file to run commands on other hosts. When sudo is asked to run a command by a user, it consults sudoers to see if the user has permission. Sudoers rules include the ability to define permission by the host's IP address by matching with absolute addresses or matching with a netmask specification. It is the matching with netmasks, which are typically used to allocate users permissions by subnet, where the problem lies.
When the developers added IPv6 support, they inadvertently made the matching routine used for IPv4 networks call the IPv6 matching routines when no IPv4 match was found. Because the IPv6 fields would be uninitialised, it was possible for the system to think it had found a match where there wasn't one. Finding a match would, in turn, mean permission would be granted for whatever command the rule was controlling, even when the system was on a different network. The problem therefore occurs where sudoers files are centrally configured and distributed, for example with sudoldap, and the rules specify network masks to control permissions to run commands at elevated privileges. By default, sudo and the sudoers file are not configured in that way.
The flaw is present in the IP network matching code of sudo versions 1.6.9p3 through 1.8.4p4. The exploit was reported internally through Red Hat's Bugzilla bug tracking system and has already been fixed in Ubuntu by backporting the fix to older versions of the package. Red Hat is also expected to fix its versions of sudo very soon. The project has advised all users to update to a patched version of the program as soon as possible. Where they can't upgrade, they are advised to switch to defining host permissions using IP addresses instead of netmasks.
The sudo developers have also released version 1.8.5 of the tool – this is a regular update and, along with the aforementioned security fixes, also includes several other features such as new translations for German, Croatian, Swedish and other languages. The update also brings numerous changes in the general behaviour of sudo, details of which can be found in the release notes for this version.