system/sudo: CVE-2019-19232: impersonation of nonexistent account through use of unallocated UID
Bugzilla ID | 277 |
Alias(es) | CVE-2019-19232 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-04-29 12:20:37 -0500 |
Modified | 2020-06-15 16:38:59 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
URL | https://nvd.nist.gov/vuln/detail/CVE-2019-19232 |
Description
** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a
Runas ALL sudoer account can impersonate a nonexistent user by
invoking sudo with a numeric uid that is not associated with any user.
NOTE: The software maintainer believes that this is not a
vulnerability because running a command via sudo as a user not present
in the local password database is an intentional feature. Because this
behavior surprised some users, sudo 1.8.30 introduced an option to
enable/disable this behavior with the default being disabled. However,
this does not change the fact that sudo was behaving as intended, and
as documented, in earlier versions.