|
Message-Id: <20151110203830.67ABE6C001F@smtpvmsrv1.mitre.org> Date: Tue, 10 Nov 2015 15:38:30 -0500 (EST) From: cve-assign@...re.org To: amilburn@...l.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, Todd.Miller@...rtesan.com Subject: Re: race condition checking digests/checksums in sudoers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> http://www.sudo.ws/man/1.8.15/sudoers.man.html >> If a command name is prefixed with a Digest_Spec, the command will >> only match successfully if it can be verified using the specified >> SHA-2 digest. This may be useful in situations where the user invoking >> sudo has write access to the command or its parent directory. > This results in a race condition if the digest functionality is used > as suggested (in fact, the rules are matched before the user is > prompted for a password, so you have quite some time to replace the > binary from underneath sudo). Our perspective is that the documentation is directly misleading, and the product actually does not have a security feature for which there's a reasonable expectation. We do assign a CVE ID in this type of situation, and can do that later this week unless there's other discussion. As far as we know, the Digest_Spec feature can be useful if the user invoking sudo doesn't have write access to the program file, but a second (and potentially untrusted) user does have write access to the program file. In the envisioned scenario, the second user is not allowed to use sudo, the second user has no way to predict when anyone else may use sudo, and the second user cannot use their write access often. Thus, if the second user attempts a file-replacement attack, the attack will almost certainly occur at an ineffective instant of time, and the Digest_Spec feature will successfully prevent the attacker's desired outcome. However, the documentation is specifically about "the user invoking sudo has write access." A reasonably experienced person reading the documentation could easily conclude that sudo and the kernel cooperate to ensure that the executed code is always exactly the same as the code with the specified SHA-2 digest value. This person can't be expected to guess that a race condition is considered OK because a non-racy approach may be hard to implement. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWQlUYAAoJEL54rhJi8gl58pYP/iXOFLyMmGwHT8nhSCL9FoEK +xP6MCf2vQjpjpAhi2kejNtji//qPGXCwDAAuBoXW9YRC30aGhBzuZqOQZxMFMqv 01x3m0Fm4A2cMyWA67VC50481WsiYGYHob8uld8h26VBY7VL9+s/TaUekMdKkTyq yiczwH2kMu8QiHGjBlw5yyeEhSc+6V6gK7+YjX6nWCEQlvqjaorlOiUAfmYLfv5l FPgj+WTssHR+gKaVmSuw+WqG4w6ukH9AVoOiMwej08mqAhttQmfcIZrmCNItUq8H /t5vvbRYXpQz+KwwaQ0ENsMQDsquO9XnzGdHSmvrC0jbSRdNWCpsONal7DF8OVqi 8YzM24nulX6wWxgd2dAI/IBVvMO0A+SEbApikBrJPEdW9gZ/+SVG+nLethyirD22 xbBkP1PE49vfHuZaOCwR7D4A5oGl+wymbTg8D9ihD9Vq+9+Nedr3FrPZ9wTEMMha +X+yRu/UeDHqGN3mkwCXNT2vKTLa/+cYi+opbRt7KVLVFB0XsYJrpHrKgvntRRTB eo+HTmxX0ISWkWOTOeUy5zsDm6XcU/YYBylZpgkKJy3e8xcRKK8uUi0my25m3EaX Akv0Zn5yTIgSz1+mEKFSFnhtX9KcAsExs0xwSu7qxrw8shCVoln4Y0JKWHPgfONw XXNM7lVxJwW2dgvND1gE =EaN/ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.