CVE-2023-22809

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a – argument that defeats a protection mechanism, e.g., an EDITOR=vim – /path/to/extra/file value.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/122.html
• https://cwe.mitre.org/data/definitions/233.html
• https://cwe.mitre.org/data/definitions/58.html

References

• http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html
• http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html
• http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html
• http://seclists.org/fulldisclosure/2023/Aug/21
• http://www.openwall.com/lists/oss-security/2023/01/19/1
• https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/
• https://security.gentoo.org/glsa/202305-12
• https://security.netapp.com/advisory/ntap-20230127-0015/
• https://support.apple.com/kb/HT213758
• https://www.debian.org/security/2023/dsa-5321
• https://www.sudo.ws/security/advisories/sudoedit_any/
• https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf