Cybersecurity researchers have discovered a new vulnerability in Sudo, an open-source security tool used in several UNIX and Linux based systems. The vulnerability (CVE-2022-43995), which affects Sudo versions 1.8. through 1.9.12, with the crypt() password backend, is caused by an array-out-of-bounds error that leads to a heap-based buffer over-read situation. If exploited, unauthorized local users with access to Sudo can trigger the vulnerability by entering a password with seven characters or fewer. This article provides in-depth details about the vulnerability, including the source code snippets, links to original references, and exploitation details.

Exploit Details

The primary cause for this vulnerability is a flaw in the plugins/sudoers/auth/passwd.c file that results in an array-out-of-bounds error. For a successful exploit, an attacker must be a local user who has access to Sudo functionalities. However, the actual impact of this vulnerability varies depending on several factors such as the system libraries, processor architecture, and the compiler being used.

The vulnerable code snippet in the passwd.c file is as follows

#include <crypt.h>

void check_passwd(const char *pw)
{
    char *enc_pw;

    enc_pw = crypt(pw, password_salt);
    if (enc_pw == NULL) {
        // handle error
    } else {
        // compare enc_pw with the stored encrypted password
    }
}

As shown in the above code snippet, the crypt() function takes the user-input password and the stored password salt, which then returns the encrypted password. However, it does not properly handle the situation where the entered password is seven characters or fewer in length, which leads to the heap-based buffer over-read situation.

- Description of Sudo: https://www.sudo.ws/introduction.html
- CVE-2022-43995 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995
- Sudo Releases: https://www.sudo.ws/stable.html
- Sudo Security Advisory: https://www.sudo.ws/security.html

Mitigation

The recommended mitigation for this vulnerability is to update the affected Sudo version to the latest available release. Additionally, users are advised to deploy strong access controls and only allow trusted users to access Sudo functionalities.

Conclusion

CVE-2022-43995 is a critical vulnerability that affects Sudo versions 1.8. through 1.9.12 with the crypt() password backend, which can result in a heap-based buffer over-read if exploited by local users with access to Sudo by entering a password of seven characters or fewer. To mitigate this risk, users should update Sudo to the latest version and implement strict access control policies. Keeping systems and software up-to-date is vital for ensuring the overall security of your infrastructure.

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 12/06/2022 00:15:00 UTC