BT 2010 Sudo Vulnerability Analysis

8/11/2019 BT 2010 Sudo Vulnerability Analysis

1/14

BeyondTrust 2010 1Q 2011

sudo Vulnerability Report

By electing to use PowerBroker Servers, exposure to

security vulnerabilities from sudo are mitigated

AbstractThis BeyondTrust report investigates all vulnerabilities published by The NationalInstitute of Standards and Technology (NIST) sudo Security Bulletins. It reports onvulnerabilities that are mitigated by configuring users to operate without the root

password to UNIX and Linux operating systems. The results show that despiteunpredictable and evolving attacks, companies can greatly reduce risks andthreats from a myriad of security vulnerabilities by withholding root access from ITstaff.

www.beyondtrust.com

BeyondTrust

2173 Salk Avenue

Carlsbad, California 92008Phone: +1 800-234-9072

Vulnerability Report


2/14

2 2010-11 Sudo Vulnerability Report 2011. BeyondTrust Software, Inc.

Table of Contents

Executive Summary .............................................................................................................................................................. 3

About the Data Collection and Analysis ....................................................................................................................... 3

Vulnerabilities by Type and Frequency ......................................................................................................................... 4

Analysis of sudo Vulnerabilities 2010 1Q 2011........................................................................................................ 5

Dept. of Homeland Security Insider Threat Study Cautions Use of sudo ......................................................... 6

System Logs ........................................................................................................................................................................ 6

sudo Unpatched Vulnerabilities Can Illicit Illegal Activity .................................................................................. 7

Case Study Reveals Governance, Risk and Compliance (GRC) Implications with sudo ............................... 8

Conclusion ............................................................................................................................................................................... 9

About BeyondTrust ............................................................................................................................................................... 9

PowerBroker RBAC Model Benefits ....................................................................................................................... 10

How Does PowerBroker Servers Outperform sudo? ....................................................................................... 11

PowerBroker Servers sudo Migration Tool .............................................................................................................. 12

Appendix A NIST Sudo Security Bulletins ............................................................................................................... 13

Contact Information .......................................................................................................................................................... 14


3/14


Executive Summary

NIST, sudo developers, and UNIX/Linux distributors regularly identify new security vulnerabilities in

sudo that allow users with limited access rights to escalate their privileges. Additionally,administrators and users also identify a multitude of undisclosed vulnerabilities regarding sudo. The

sudo (super user do) command is intended to allow users to execute certain commands at another

user's privilege level - usually root.

By examining all of the published sudo vulnerabilities in 2010 and all of the published sudo

vulnerabilities to date, this report quantifies the risks associated with root-level access.

NIST, Todd Miller and Gratisoft are to be lauded for releasing patches to known vulnerabilities each

month. However, vulnerabilities take time to identify and patches take time to apply. In fact, some of

the recently discovered vulnerabilities significantly impact versions of sudo dating back 10-15 years.

Also, since sudo comes pre-installed on nearly every Linux and UNIX machine, it is highly likely thatorganizations have multiple versions of the utility and are often not aware of which version in on

which host, making patching an even bigger challenge.

During this period, threats can damage a corporate network and gain access to sensitive information.

As companies integrate UNIX and Linux, operating systems that are especially popular in heavily

virtualized or cloud environments, they need to include plans to mitigate risk with a more

sophisticated and secure solution for privileged access, so users can operate effectively without the

root password.

About the Data Collection and Analysis

Todd Miller and the NIST publishes Security Bulletin Summaries periodically to notify customers of the

security updates they have made to address vulnerabilities in sudo products. The following Web page

contains links to all of the sudo Security Bulletin Summaries for 2010 and Q1 2011,

http://web.nvd.nist.gov/view/vuln/search.Table 1, located in the Appendix, contains a list of all

Security Bulletins and vulnerabilities published in 2010-Q1 2011.

This report uses information found in the individual Security Bulletins to classify vulnerabilities by

Severity Rating, Vulnerability Impact, Affected OS, as well as to determine if removing root-level access

will mitigate a vulnerability.
http://web.nvd.nist.gov/view/vuln/searchhttp://web.nvd.nist.gov/view/vuln/searchhttp://web.nvd.nist.gov/view/vuln/search


4/14


Vulnerabilities by Type and FrequencyFrom 2010 through Q1 2011, the Department of Homeland Security (DHS) released 10 vulnerability

alerts for sudo with a medium or high severity rating. DHSNational Vulnerability Database(NVD) is

the U.S. government repository of standards based vulnerability management data represented using

theSecurity Content Automation Protocol(SCAP).

The chart below (Fig. 1) illustrates the types of vulnerabilities that have appeared since 2010 on DHS

National Vulnerability Database, and the number of times these vulnerabilities appeared among the

10 sudo alerts. It is important to note that multiple types of vulnerabilities have appeared in one alert

(i.e.,Allows Disclosure of Data). This data was retrieved fromhttp://web.nvd.nist.gov/view/vuln/search:

Figure 1. Number of Times a Vulnerability Appeared in sudo Alerts.

1

1http://web.nvd.nist.gov/view/vuln/search-

results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=false

9

2

10 10

0

2

4

6

8

10

12

Allows Unauthorized

Modification

Provides Full

Admin Access

Allows Disclosure

of Data

Allows Disruption

of Service

Numbe

rofsudoAlerts

Vulnerabilities by Type

Number of Times a Vulnerability

Appeared in sudo Alerts2010 - Q1 2011
http://nvd.nist.gov/home.cfmhttp://nvd.nist.gov/home.cfmhttp://nvd.nist.gov/home.cfmhttp://scap.nist.gov/http://scap.nist.gov/http://scap.nist.gov/http://web.nvd.nist.gov/view/vuln/searchhttp://web.nvd.nist.gov/view/vuln/searchhttp://web.nvd.nist.gov/view/vuln/searchhttp://web.nvd.nist.gov/view/vuln/search-results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=falsehttp://web.nvd.nist.gov/view/vuln/search-results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=falsehttp://web.nvd.nist.gov/view/vuln/search-results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=falsehttp://web.nvd.nist.gov/view/vuln/search-results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=falsehttp://web.nvd.nist.gov/view/vuln/search-results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=falsehttp://web.nvd.nist.gov/view/vuln/search-results?page_num=0&cves=true&query=sudo&uscert_ta=false&uscert_vn=false&oval_query=false&adv_search=falsehttp://web.nvd.nist.gov/view/vuln/searchhttp://scap.nist.gov/http://nvd.nist.gov/home.cfm


5/14


Analysis of sudo Vulnerabilities 2010 1Q 2011

By electing to use PowerBroker Servers, exposure to 100% of sudo vulnerabilities can be mitigated.

As mentioned in the executive summary, vulnerabilities take time to identify and patches take time to

apply. In fact, some of the recently discovered vulnerabilities significantly impact versions of sudo

dating back 10-15 years. Also, since sudo comes pre-installed on nearly every Linux and UNIX machine,

it is highly likely that organizations have multiple versions of the utility and are often not aware of

which version in on which host, making patching an even bigger challenge.

UNIX and Linux provides the platform to some of the most widely used mission-critical applications in

the world. Given the prevalence of the sudo software and number of vulnerabilities, increased securityprotection is key.

Figure 2.All reported sudo vulnerabilities are mitigated by using PowerBroker Servers.

100%

100% of sudo Vulnerabilities can be

Mitigated by using PowerBroker Servers


6/14


Dept. of Homeland Security Insider Threat StudyCautions Use of sudo

Every year, the United States DHS and CERT releasetheir annual reportthat details the research anddata regarding inside employees and their threat to an organization or critical infrastructure.

The insider threat is a problem faced by all industries and sectors today. It is an issue of growing

concern as the consequences of insider incidents can include not only financial losses, but the loss of

clients and business days. The actions of a single insider can cause damage to an organization ranging

from a few lost staff hours to negative publicity and financial damage so extensive that a business may

be forced to lay off employees or even close its doors.

Furthermore, insider incidents can have repercussions extending beyond the affected organization to

include disruption of operations or services critical to a specific sector, or the issuance of fraudulent

identities that create serious risks to public safety and national security.

This report identifies the sudo utility as a vulnerability due to the face that technical vulnerabilities can

facilitate illicit activity. Some of the technical insiders in this report took advantage of system

vulnerabilities to commit their illicit acts. It is important that organizations realize that:

System vulnerabilities provide a tactical opportunity for both external attackers and insiders

to carry out illicit activity

The organizations network and system architecture and configuration decisions can create

new vulnerabilities

System Logs

Some of the insiders came very close to successfully carrying out their malicious activities without

being identified and caught. When configuring their systems, organizations should consider the

importance of the system logs when investigating any security incidents, as well as the threat posed

to those logs by their technical users.

One insider was able to plant a logic bomb into a system utility, edit his supervisors profile to frame

him for the destruction, and edit system logs to delete all evidence of his actions. In an interview with

this particular insider he stated that the organization used wide open sudo, which enabled any user

to perform any system administration functions.

He also said that the system logging was configured so that he was able to edit all of the log files and

delete all traces of his actions except those that he purposely modified to point to his supervisor.

However, he forgot about a single system log, which took months for an external forensics expert to

locate. It is important that organizations realize that their system logs can provide valuable evidence

in case of an insider incident and configure their systems accordingly.
http://www.cert.org/archive/pdf/insiderthreat_it2008.pdfhttp://www.cert.org/archive/pdf/insiderthreat_it2008.pdfhttp://www.cert.org/archive/pdf/insiderthreat_it2008.pdfhttp://www.cert.org/archive/pdf/insiderthreat_it2008.pdf


7/14


System logs should be directed to a secure location and backed up so that they are protected from

manipulation, and can be restored in case of a system failure to trace all activities to their sources.

sudo Unpatched Vulnerabilities Can Illicit Illegal Activity

In one case cited within this report, an insider took advantage of an unpatched system vulnerability in

sudo to commit crimes. System vulnerabilities provide an avenue for unauthorized access to an

organizations systems.

External attackers must first locate the system with the vulnerabilities, but system administrators

inside an organization know which of their organizations systems are vulnerable. Therefore, should

they decide to attack their own organization, system administrators will have an easy mechanism for

gaining anonymous and unauthorized entry to the organizations systems at any time from inside or

outside the wall.

Organizations routinely assess the risk of an external attacker exploiting a system vulnerability to

obtain unauthorized access to their networks. However, it is important that organizations realize that

their own system administrators are aware of their patching policies and practices. They also fully

comprehend which of those many vulnerabilities are exploitable from outside the organizations

networks.

This insider knowledge can give them the ability to use an external account to gain access to the

system, making identification of the perpetrators much more difficult. The question companies need

to ask is, how many attacks that appear to come from external accounts are aided by insiders?

In addition to vulnerability patching, other network and system architecture and configuration

decisions made by an organization can increase risk of insider threats. For example, the organization

mentioned above that implemented wide open sudo provided an easy avenue for their insiders to

commit illicit activities.

These types of technical decisions should be considered carefully and should be reviewed by technical

staff with sufficient expertise to adequately assess the potential consequences.


8/14


Case Study Reveals Governance, Risk and Compliance (GRC)Implications with sudo2

CETREL S.A. (www.cetrel.lu), a leader in advanced electronic payment technology, expert in electronic

transfers, and a trusted partner for electronic payment offers, experienced significant compliance and

auditing challenges using sudo to manage their IT environment.

Nicolas Debeffe, head of operational security at CETREL, is responsible for overseeing CETRELs

security operations, which includes their complex IT environment. For the last

several years, Mr. Debeffes security team had been using sudo to manage their critical

Unix/Linux assets and trace any access from CETRELs support teams to applicative or generic users.

While sudo initially seemed to manage CETRELs IT environment, they soon discovered

that there was an imminent need to find a simpler and more secure method to manage access and

accountability to generic users.

As we have been continually adding Unix and Linux servers to our

environment, as required for our operations, it was clear sudo raised

significant red flags over the adequate security over our logs required

by PCI DSS mandates, said Nicolas Debeffe.

Productivity was being hindered, as reviewing sudo logs required

accessing every server individually. Furthermore, sudo logs were

alterable by the super user and the sudo configuration time required

by system engineers was simply unacceptable, added Debeffe.

This example is a very common and real challenge for security managers globally, and the faster

organizations are cognizant of such red flags, the faster preventative measures can be implemented

from a strategically and compliant perspective.

2http://www.beyondtrust.com/PDFS/BeyondTrust_Cetrel_SA_CS_100319.pdf
http://www.beyondtrust.com/PDFS/BeyondTrust_Cetrel_SA_CS_100319.pdfhttp://www.beyondtrust.com/PDFS/BeyondTrust_Cetrel_SA_CS_100319.pdfhttp://www.beyondtrust.com/PDFS/BeyondTrust_Cetrel_SA_CS_100319.pdfhttp://www.beyondtrust.com/PDFS/BeyondTrust_Cetrel_SA_CS_100319.pdf


9/14


ConclusionTodd Miller, NIST, and UNIX /Linux distributors do a commendable job of publically disclosing detailed

information about vulnerabilities and providing patches every month. However, software

vulnerabilities take time to identify and due to complex corporate environments, deploying patches

take time to apply. It is during this period of time that exploits of unpatched or undiscovered

vulnerabilities can damage a corporate network and gain access to sensitive information.

This report demonstrates the critical role that restricting administrator rights plays in protecting

against vulnerabilities. As companies evaluate their UNIX and Linux environments they need to

include plans to implement a server Privilege Identity Management (PIM) solution in order to reduce

the severity or prevent the exploitation of undiscovered or unpatched vulnerabilities and to ensure

that their users can operate effectively without the root password.

About BeyondTrustBeyondTrust is the global leader in privilege authorization management, access control and security

solutions for virtualization and cloud computing environments. BeyondTrust empowers IT governance

to strengthen security, improve productivity, drive compliance and reduce expense. The companys

products eliminate the risk of intentional, accidental and indirect misuse of privileges on desktops and

servers in heterogeneous IT systems.

With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity

Management (PIM) solutions for heterogeneous IT environments. More than half of the companies

listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers

include eight of the world's 10 largest banks, seven of the world's 10 largest aerospace and defense

firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities.

The company is privately held, and headquartered in Carlsbad, California, with offices in the greater

Los Angeles area, greater Boston area, Washington DC, as well as EMEA offices in London, UK.


10/14


PowerBroker RBAC Model Benefits

Redundant permissions residing on multiple sudo files can now be consolidated into a single

streamlined policy file to ensure consistent protection, management and auditing.

This RBAC Model provides you with the ability to:

Reconfigure permissions

Regroup permissions

View Entitlement Reports

Entitlement reporting provides an essential element of audit control.

The reports contain RBAC information and list the selected object type (such as user, user group) at

the top level of the report. The entitlement reports are available as detail reports and as summary

reports.


11/14


How Does PowerBroker Servers Outperform sudo?

PowerBroker Servers has a variety of features that allow enterprises to meet security and compliance

objectives quickly and effectively using our cost-effective RBAC Model. PowerBroker increases

productivity via the following features:

Supports remote login and execution of a privileged command

Supports a list of unlimited input filters that can force the session to terminate whenever a

forbidden input pattern is detected

Supports the ability for a forbidden input pattern to be matched using a shell or regular

expression

Offers native support for the secure retrieval of a privileged user credential over a password

vault when accessing a remote server via Telnet or SSH

Offers native support for either a Telnet or SSH client that can monitor a remote session(s)

Offers native support for a web-based GUI that can be used for configuration and the

management of a list of remote tasks

Offers native support for remote i/o logging. PowerBroker can send data to a remote server

for automatic logging in order to preserve the integrity of the captured data

Can encrypt the session data when it is sent to a remote server and upon receipt, can also

encrypt this data so as to prevent viewing and/or tampering without using the supplied

PowerBroker tools

without using the supplied PowerBroker tools

Provides native support for failover authorization and logging servers, which includes log

synchronization over multiple log servers

Provides native support for a UNIX shell (pbsh and/or pbksh) that can be configured to

authorize a user request and optionally log session data


12/14


PowerBroker Servers sudo Migration Tool

sudo is a good stepping stone for smaller scale environments, but lacks architectural vision or general

security of code intended to protect critical assets. In smaller environments when policies are

enforced based on user names, well-defined security policies can be put in place most of the time.

But in enterprise environments when policies mix the security considerations (i.e., using usernames

and group names), an organization can end up with conflicting policies and a potentially ever-

growing list of constraints. This will lead to maintenance issues and a weakened security

environment. PowerBroker Servers provide the tools necessary to ensure a strengthened security

and compliant IT environment.


13/14


Appendix A NIST Sudo Security Bulletins

Table 1.All vulnerabilities published in NIST 2010-1Q 2011 sudo Security Bulletins

Date

Bulletin

ID and

Link

Vulnerability TargetSeverity

RatingImpact of Vulnerability

Affected

Operating

System

Mitigated by

PowerBroker

Servers

Jan-11

pam_namespace.c in

the pam_namespace

module in Linux-PAM

(aka pam)

CVE-2010-

3853

6.9

Medium

Allows unauthorized disclosure of

information; Allows unauthorized

modification; Allows disruption of service

Linux Yes

Jan-11

A certain Fedora patch

for parse.c in sudo

before 1.7.4p5-1.fc14

on Fedora 14

CVE-2011-

0008

6.9

Medium

Provides administrator access, Allows

complete confidentiality, integrity, and

availability violation; Allows unauthorized

disclosure of information; Allows disruption

of service

UNIX &

LinuxYes

Jan-11Check .c in sudo 1.7.x

before 1.7.4p5

CVE-2011-

0010

4.4

Medium




UNIX &

LinuxYes

Sep-10Sudo 1.7.0 through

1.7.4p3

CVE-2010-

2956

6.2

Medium




UNIX &

LinuxYes

Aug-10

The sudo feature in

Bugzilla 2.22rc1

through 3.2.7, 3.3.1

through 3.4.7, 3.5.1

through 3.6.1, and 3.7through 3.7.2

CVE-2010-

2757

6.5

Medium




UNIX &

LinuxYes

Jun-10

The secure path

feature in env.c in

sudo 1.3.1 through

1.6.9p22 and 1.7.0

through 1.7.2p6

CVE-2010-

1646

6.2

Medium




UNIX &

LinuxYes

Apr-10

The command

matching functionality

in sudo 1.6.8 through

1.7.2p5

CVE-2010-

1163

6.9

Medium




UNIX &

LinuxYes

Feb-10sudo 1.6.x before

1.6.9p21

CVE-2010-

0427

4.4

Medium




UNIX &

LinuxYes

Feb-10

sudo 1.6.x before

1.6.9p21 and 1.7.x

before 1.7.2p4,

CVE-2010-

0426

6.9

Medium

Provides administrator access, Allows

complete confidentiality, integrity, and

availability violation; Allows unauthorized

disclosure of information; Allows disruption

of service

UNIX &

LinuxYes

Feb-10

Accellion Secure File

Transfer Appliance

before 8_0_105

CVE-2009-

4648

7.2

High




UNIX &

LinuxYes
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3853http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3853http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0008http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0008http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0010http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0010http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2757http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2757http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1646http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1646http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1163http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1163http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0427http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0427http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0426http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0426http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4648http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4648http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4648http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4648http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0426http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0426http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0427http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0427http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1163http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1163http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1646http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1646http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2757http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2757http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0010http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0010http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0008http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0008http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3853http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3853


14/14


Contact Information

For more information about this report or if you have any questions, please contact:

BeyondTrust

Corporate Headquarters

2173 Salk Avenue

Carlsbad, CA 92008

+1 818-575-4000 (tel)

[email protected]
mailto:[email protected]:[email protected]:[email protected]

Date post:	02-Jun-2018
Category:	Documents
Upload:	matin147
View:	228 times
Download:	0 times

BT 2010 Sudo Vulnerability Analysis

Documents