前言
簡單來說,常用來在 Linux 作業系統中的 sudo 套件被發現存在嚴重漏洞,惡意人士透過「get_process_ttyname ()」這個函數的漏洞可以讓任何擁有 Shell 帳戶使用 Root 權限,即便 RHEL / CentOS 啟用 SELinux安全性機制的情況下仍無法阻擋。因此,請盡量修補你所管理的 Linux 作業系統。受影響的 Linux 發行版本
- Red Hat Enterprise Linux Server (v. 5 ELS) (sudo)
- Red Hat Enterprise Linux 6 (sudo)
- Red Hat Enterprise Linux 7 (sudo)
- Debian wheezy
- Debian jessie
- Debian stretch
- Debian sid
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- SUSE Linux Enterprise Software Development Kit 12-SP2
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
- SUSE Linux Enterprise Server 12-SP2
- SUSE Linux Enterprise Desktop 12-SP2
- OpenSuse
檢測系統中的 sudo 版本是否受漏洞影響
管理人員可以至 Red Hat Customer Portal - sudo: Privilege escalation via improper get_process_ttyname() parsing下載 sudo 漏洞檢測工具 cve-2017-1000367.sh進行檢測作業。簡單來說,只要 sudo 套件版本是 1.8.6p7 ~ 1.8.20都會受到此漏洞的影響,必須採用 sudo 1.8.20p1套件版本才順利修復此漏洞。對應到 RHEL 7 / CentOS 7的話版本則是 sudo-1.8.6p7-22.el7_3.x86_64才對。
如下所示,在還沒有進行 sudo 套件更新作業之前,檢測結果可以看到目前 CentOS 7.3當中的 sudo 套件 (sudo-1.8.6p7-20.el7_3.x86_64)仍受此漏洞所影響。
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# uname -a
Linux centos73.weithenn.org 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa sudo
sudo-1.8.6p7-20.el7.x86_64
# ./cve-2017-1000367.sh
This script is primarily designed to detect CVE-2017-1000367 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Detected 'sudo' package is 'sudo-1.8.6p7-20.el7.x86_64'.
This 'sudo' version is vulnerable.
Update 'sudo' package when possible, there are no mitigations available.
Follow https://access.redhat.com/security/vulnerabilities/3059071 for advice.
圖、系統使用具有 sudo 漏洞的套件版本
更新 sudo 套件版本修復漏洞
簡單來說,我們必須將 CentOS 7.3當中的 sudo 套件版本從原本的 sudo-1.8.6p7-20.el7_3.x86_64 升級至 sudo-1.8.6p7-22.el7_3.x86_64 版本才行。其它 CentOS 版本對應的 sudo 套件版本資訊,請參考 Red Hat Customer Portal - Important: sudo security udpate。請執行「yum -y update」即可下載及更新 sudo 修復漏洞的套件版本 (事實上,昨天也就是 2017 年 5 月 31 日還無法下載成功,今天 2017 年 6 月 1 日測試已經可以順利更新!!)。# yum -y update
# yum info sudo
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.tc.edu.tw
* elrepo: ftp.yz.yamagata-u.ac.jp
* epel: ftp.cuhk.edu.hk
* extras: ftp.tc.edu.tw
* updates: ftp.tc.edu.tw
Installed Packages
Name : sudo
Arch : x86_64
Version : 1.8.6p7
Release : 22.el7_3
Size : 2.5 M
Repo : installed
From repo : updates
Summary : Allows restricted root access for specified users
URL : http://www.courtesan.com/sudo/
License : ISC
Description : Sudo (superuser do) allows a system administrator to give certain
: users (or groups of users) the ability to run some (or all) commands
: as root while logging all commands and arguments. Sudo operates on a
: per-command basis. It is not a replacement for the shell. Features
: include: the ability to restrict what commands a user may run on a
: per-host basis, copious logging of each command (providing a clear
: audit trail of who did what), a configurable timeout of the sudo
: command, and the ability to use the same configuration file (sudoers)
: on many different machines.
圖、更新 sudo 套件版本
此時,再次使用 sudo 漏洞檢測工具 cve-2017-1000367.sh 進行檢測作業,可以發現結果是已經使用修復 sudo 漏洞的套件版本 (sudo-1.8.6p7-22.el7_3.x86_64) 了。
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# uname -a
Linux centos73.weithenn.org 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa sudo
sudo-1.8.6p7-22.el7_3.x86_64
# ./cve-2017-1000367.sh
This script is primarily designed to detect CVE-2017-1000367 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Detected 'sudo' package is 'sudo-1.8.6p7-22.el7_3.x86_64'.
This 'sudo' version is not vulnerable.
圖、順利更新 sudo 套件版本並修復漏洞
參考資源
- nixCraft - Linux security alert: Bug in sudo’s get_process_ttyname() [ CVE-2017-1000367 ]
- CVE-2017-1000367 - Red Hat Customer Portal
- sudo: Privilege escalation via improper get_process_ttyname() parsing - Red Hat Customer Portal
- Potential overwrite of arbitrary files on Linux
- Sudo Main Page
- Red Hat Customer Portal - Important: sudo security udpate
- rpms//sudo.git - git.centos.org