Aviso
Contributor
Contributor

Potential security holes with old versions of sudo

The version of sudo that ships with ESX 3.0.1 (1.6.7p5) has lots of security holes that were fixed by the time the latest version 1.6.8p12 came out in November 2005.

To VMware's credit, RedHat didn't update the package for RHEL3 either, and I'm sure there are lots of these things (That's what happens when you deploy something based on an old platform), but given the number security vulnerabilities, This is one both RedHat and VMware should have taken care of.

There are a number of workarounds for some of these, mostly involving stripping out environment variables.

Aside from security holes, 1.6.8 put in a lot of new features, including logging of commands issues in a sudo invoked root shell. So I'll be looking to upgrade. It would be great if VMware packaged the RPM.

For a list of changes to sudo see:

http://www.gratisoft.us/sudo/current.html

0 Kudos
1 Reply
Texiwill
Leadership
Leadership

Hello,

Mostly these are minor security issues and NOT reported to the CVE database. The fixes are implemented by adding to the top of /etc/sudoers the line or some complex forms using env_delete.

Defaults env_reset

In addition, a badly formed /etc/sudoers file WILL place the security problems back into play even in the latest release.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1993 is the only one reported to the CVE database. It's work around is: The administrator can order the sudoers file such that all entries granting Sudo ALL privileges precede all other entries.

However, since these problems do exist and SUDO is very important to use on ESX it would be best to have an updated package from VMware. But also, since there are workaround concentrating on ones where there are no workarounds is generally the order of the day.

Since SUDO does not require kernel packages it is easy enough to rebuild for ESX. If you rather not implement the workarounds, recompilation from source is always an option until VMware replaces the package. Actually, the latest release of sudo is not available in RH until RHEL5 or Fedora Core 5.

Best regards,

Edward

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos