{
  "threat_severity" : "Important",
  "public_date" : "2019-10-14T15:00:00Z",
  "bugzilla" : {
    "description" : "sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword",
    "id" : "1760531",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1760531"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-267",
  "details" : [ "In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a \"sudo -u \\#$((0xffffffff))\" command.", "A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction." ],
  "statement" : "This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:\nsomeuser myhost = (ALL, !root) /usr/bin/somecommand\nThis configuration allows user \"someuser\" to run somecommand as any other user except root. However, this flaw also allows someuser to run somecommand as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.\nAny other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user)  are NOT affected by this flaw.\nRed Hat Virtualization Hypervisor includes an affected version of sudo, however the default configuration is not vulnerable to this flaw.",
  "acknowledgement" : "Red Hat would like to thank the Sudo project for reporting this issue. Upstream acknowledges Joe Vennix (Apple Information Security) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 5 Extended Lifecycle Support",
    "release_date" : "2019-12-10T00:00:00Z",
    "advisory" : "RHSA-2019:4191",
    "cpe" : "cpe:/o:redhat:rhel_els:5",
    "package" : "sudo-0:1.7.2p1-31.el5_11.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2019-11-06T00:00:00Z",
    "advisory" : "RHSA-2019:3755",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "sudo-0:1.8.6p3-29.el6_10.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.5 Advanced Update Support",
    "release_date" : "2019-11-18T00:00:00Z",
    "advisory" : "RHSA-2019:3895",
    "cpe" : "cpe:/o:redhat:rhel_aus:6.5",
    "package" : "sudo-0:1.8.6p3-12.el6_5.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.6 Advanced Update Support",
    "release_date" : "2019-11-06T00:00:00Z",
    "advisory" : "RHSA-2019:3754",
    "cpe" : "cpe:/o:redhat:rhel_aus:6.6",
    "package" : "sudo-0:1.8.6p3-15.el6_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3197",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "sudo-0:1.8.23-4.el7_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.2 Advanced Update Support",
    "release_date" : "2019-10-31T00:00:00Z",
    "advisory" : "RHSA-2019:3278",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.2",
    "package" : "sudo-0:1.8.6p7-17.el7_2.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.2 Telco Extended Update Support",
    "release_date" : "2019-10-31T00:00:00Z",
    "advisory" : "RHSA-2019:3278",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.2",
    "package" : "sudo-0:1.8.6p7-17.el7_2.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions",
    "release_date" : "2019-10-31T00:00:00Z",
    "advisory" : "RHSA-2019:3278",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.2",
    "package" : "sudo-0:1.8.6p7-17.el7_2.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Advanced Update Support",
    "release_date" : "2019-10-29T00:00:00Z",
    "advisory" : "RHSA-2019:3219",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.3",
    "package" : "sudo-0:1.8.6p7-23.el7_3.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Telco Extended Update Support",
    "release_date" : "2019-10-29T00:00:00Z",
    "advisory" : "RHSA-2019:3219",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.3",
    "package" : "sudo-0:1.8.6p7-23.el7_3.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions",
    "release_date" : "2019-10-29T00:00:00Z",
    "advisory" : "RHSA-2019:3219",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.3",
    "package" : "sudo-0:1.8.6p7-23.el7_3.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Advanced Update Support",
    "release_date" : "2019-10-28T00:00:00Z",
    "advisory" : "RHSA-2019:3209",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.4",
    "package" : "sudo-0:1.8.19p2-12.el7_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Telco Extended Update Support",
    "release_date" : "2019-10-28T00:00:00Z",
    "advisory" : "RHSA-2019:3209",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.4",
    "package" : "sudo-0:1.8.19p2-12.el7_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions",
    "release_date" : "2019-10-28T00:00:00Z",
    "advisory" : "RHSA-2019:3209",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.4",
    "package" : "sudo-0:1.8.19p2-12.el7_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.5 Extended Update Support",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3204",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.5",
    "package" : "sudo-0:1.8.19p2-14.el7_5.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3205",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "sudo-0:1.8.23-3.el7_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-11-05T00:00:00Z",
    "advisory" : "RHSA-2019:3694",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "sudo-0:1.8.25p1-8.el8_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions",
    "release_date" : "2020-02-04T00:00:00Z",
    "advisory" : "RHSA-2020:0388",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.0",
    "package" : "sudo-0:1.8.25p1-4.el8_0.2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "release_date" : "2019-11-21T00:00:00Z",
    "advisory" : "RHSA-2019:3941",
    "cpe" : "cpe:/a:redhat:openshift:4.1",
    "package" : "machine-os-content-container"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "release_date" : "2019-11-19T00:00:00Z",
    "advisory" : "RHSA-2019:3916",
    "cpe" : "cpe:/a:redhat:openshift:4.2",
    "package" : "machine-os-content-container"
  }, {
    "product_name" : "Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2019-10-30T00:00:00Z",
    "advisory" : "RHBA-2019:3248",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-release-virtualization-host-0:4.2-15.1.el7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2019-10-30T00:00:00Z",
    "advisory" : "RHBA-2019:3248",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-virtualization-host-0:4.2-20191022.0.el7_6",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14287\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14287\nhttps://www.sudo.ws/alerts/minus_1_uid.html" ],
  "csaw" : true,
  "name" : "CVE-2019-14287",
  "mitigation" : {
    "value" : "This vulnerability only affects configurations of sudo that have a runas user list that includes an exclusion of root.  The most simple example is:\n~~~\nsomeuser ALL=(ALL, !root) /usr/bin/somecommand\n~~~\nThe exclusion is specified using an excalamation mark (!).  In this example, the \"root\" user is specified by name.  The root user may also be identified in other ways, such as by user id:\n~~~\nsomeuser ALL=(ALL, !#0) /usr/bin/somecommand\n~~~\nor by reference to a runas alias:\n~~~\nRunas_Alias MYGROUP = root, adminuser\nsomeuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand\n~~~\nTo ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions.  These can be found in the /etc/sudoers file or files under /etc/sudoers.d.",
    "lang" : "en:us"
  }
}