Date: 01 February 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0015
A vulnerability exists which can lead to a crash or privilege elevation
1 February 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sudo
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE 2012-0809
Member content until: Friday, March 2 2012
OVERVIEW
A standard format string vulnerability exists in sudo versions 1.8.0
through to 1.8.3p1, which can be used to crash sudo or allow privilege
elevation.
IMPACT
Vulnerability description provided by the vendor:
"Successful exploitation of the bug will allow a user to run arbitrary
commands as root.
Exploitation of the bug does not require that the attacker be listed in
the sudoers file. As such, we strongly suggest that affected sites
upgrade from affected sudo versions as soon as possible."[1]
MITIGATION
Upgrade sudo to version 1.8.3p2.
REFERENCES
[1] Sudo format string vulnerability
http://www.sudo.ws/sudo/alerts/sudo_debug.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTyjncu4yVqjM2NGpAQK+SA/+IihjP1VTPP4yh5+gxMSdgvPadfbQwJku
yHJAcjGipZcKQvKHFBQI0Q8R6wYSA32oG607HmufQPIzYjU2kOCaCN12sMtHuAnG
zAFdfIzQ5abF6sSQ8o9inNqjsLjxWMFDEMoSgg2wzLYWaDMCB594XhdtNOa+0x06
AgvfCglrrtKCz2RpIK7z1QevMIbyDUfxH5XRg9/5Hg4rHFelKN1mz9w5+JYG6R9U
n4Zua69EL6BW5FzYyQineftVHXEYTDcFd+tF7o+UZEvZW7gw8ZhUVGV6fwcV43SF
eiDAoO2QNSATdbSHNm7U+uA84vqWLw2MCdslwdOgvhwHL8UMCj6caQCRDMyEYccO
BYbI65Wf9qeUif/V1bFHEwMdHSk9+yOH2EQ7MO6WKltrRydFAW6gX3q0anttEN28
cZNqBt2+kgzV2VG4giCsWDTI7MqosEIaxNgaq8ub7sP1ijTrseLb6ptm/cZENa1F
LbZdTmFuwgqP3MfKU1SbWKnf1QmbxH1LaA7uaAjvtIdw3OglvOsYyAI6JZ2kYot9
CaI09IHiU7ifWtYDdya6iTCaE5bMlXEs3bR1MjGf9QKsdkPWdCxR9S+Y0juRm/ZA
kOnkj2MJWlJlHKIgbzbo0h+I5r0jxFeXR3xlfbv3OKbzV9dbB7ZA57VKOjM2xQ1H
V3BvNklDGe8=
=Blol
-----END PGP SIGNATURE-----
|