In this week’s digest, we will discuss:
- How Sudoedit can edit arbitrary files;
- Drupal and Git security advisories; and
- A denial of service vulnerability in HAProxy.
Sudoedit can edit arbitrary files
CVE ID: CVE-2023-22809
Sudo is a program that allows a system administrator to give selected users the ability to run commands as root. Synacktiv discovered this vulnerability. A sudoers policy bypassing issue might lead to privilege escalation by using sudoedit to edit unauthorized files. The affected versions of Sudo range from 1.8.0 to 1.9.12p1.
While using sudoedit, users select their editing user by using environment variables, such as SUDO_EDITOR, VISUAL, and EDITOR. The content of these variables extends the actual command passed to the sudo_edit() function. A “—” argument is supposed to determine the list of files to edit. However, the injection of an extra “—” argument in the authorized environment variables can alter this list and lead to privilege escalation by editing any other file with the target user’s privileges.
Detection
The vulnerability can be detected by running the following command as a user with the file being granted to edit, such as /etc/custom/service.conf, listed in the /etc/sudoers file.
$ cat /etc/sudoers
user ALL=(ALL:ALL) sudoedit /etc/custom/service.conf
[...]
$ EDITOR='vim -- /etc/passwd' sudoedit /etc/custom/service.conf
Mitigation
Other than upgrading to the patched version, it is also possible to mitigate the vulnerability by adding the affected environment variables to the env_delete deny list when using sudoedit.
Defaults!SUDOEDIT env_delete+="SUDO_EDITOR VISUAL EDITOR"
Cmnd_Alias SUDOEDIT = sudoedit /etc/custom/service.conf
user ALL=(ALL:ALL) SUDOEDIT
Drupal security advisories
Drupal has released security advisories to address vulnerabilities affecting multiple products. An attacker could exploit these vulnerabilities to access sensitive information. CISA encourages users and administrators to review the following Drupal security advisories and apply the necessary updates.
Drupal Core – Information Disclosure
Security advisories code: SA-CORE-2023-001
Users with access to edit content could see the metadata of media items they are not authorized to access due to improper entity access checking in the Media Library module. Vulnerability mitigation is possible because the inaccessible media is only visible to users who can already edit the content including a media reference field.
Regardless of Drupal prior to 9.4.x being end-of-life, it is recommended to update to the latest versions, including Drupal 10.0.2, Drupal 9.5.2, and Drupal 9.4.10.
Entity Browser – Information Disclosure
Security advisories code: SA-CONTRIB-2023-002
Users can select entities from entity reference fields using a custom entity browser widget from the Entity Browser module. This vulnerability allows users with access to edit content to see the metadata of entities they are not authorized to access, as the module does not check the entity access properly. The vulnerability can be mitigated by the fact that the inaccessible entities will only be visible to users who can already edit the content using Entity Browser. To fix the vulnerability, if using the Entity Browser module for Drupal 9 or 10, upgrade the Entity Browser to version 8.x-2.9.
Media Library Block – Information Disclosure
Security advisories code: SA-CONTRIB-2023-003
The Media Library Block module allows users to render media entities in a block. The improper media access checking by the module could result in users seeing the media they are not authorized to access if a block containing restricted media items is on the page. Mitigate this unauthorized access by removing blocks referencing media items with access restrictions. If using the Media Library Block module for Drupal 9 or 10, it is recommended to upgrade it to version 1.0.4 to fix the issue.
Media Library Form API Element – Information Disclosure
Security advisories code: SA-CONTRIB-2023-004
The Media Library Form API Element module allows users to use the media library in custom forms without the Media Library Widget. Due to the improper entity access check by the module, users with access to edit content could see metadata of media items they are not authorized to access. Mitigate vulnerability by making inaccessible media only visible to users who can already edit the content that includes a media reference field. If the Media Library Form API Element module versions 8.x-1.*, or 2.x for Drupal 9 or 10, it is recommended to upgrade the module to version 2.0.6.
Git security advisories
A security audit of source code for Git has revealed several vulnerabilities, including two critical severity ones that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses. Both critical vulnerabilities are patched in Git versions v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1.
Heap overflow in `git archive`, `git log –format` leading to RCE
CVE ID: CVE-2022-41903
git log can display commits in an arbitrary format with a –format specifier. git archive with the export-subst gitattribute also has this functionality. When the padding operators are processed, a size_t variable is improperly stored as an int in pretty.c format_and_pad_commit() function, it is then added as an offset to a following memcpy() call. Attackers can initiate the overflow by running git log –format=… to invoke the commit formatting or by running git archive with the export-subst attribute, which expands the format specifier for a file. The integer overflow can cause remote code execution by writing arbitrary code into memory.
Workarounds
It is recommended to upgrade Git to the most recent version, which completely fixes the vulnerability. If upgrading is not applicable, users should not run git archive on an untrusted repository. If git archive is exposed via git daemon, run git config –global daemon.uploadArch false to disable the command.
gitattributes parsing integer overflow
CVE ID: CVE-2022-23521
Git allows users to define attributes for paths by adding a .gitattributes file to the repository, which contains a set of file patterns and attributes that should be set for those files matching the pattern. A few conditions can make the integer overflow happen when parsing attributes:
- when there is an excessive number of path patterns;
- when there are numerous attributes for a single pattern;
- when the declared attribute’s names are extensive.
The overflows can be triggered when the crafted .gitattributes file is part of the commit history. Lines longer than 2KB are split silently when parsing gitattributes from a file, but not from the index. As a result, failure can happen when the file exists in the index, in the working tree, or both. The vulnerability can lead to arbitrary head reads and writes, resulting in remote code execution.
Workarounds
No applicable workaround is published. The only workaround is to upgrade Git to the listed latest patched version.
Denial of service vulnerability in HAProxy
CVE ID: CVE-2023-0056
HAProxy is a high-availability server load balancer for HTTP applications. This vulnerability exists due to the failure of unexpected flag handling in the http_wait_for_response() function, which can result in the process crashing. As a result, the vulnerability allows an attacker to perform a denial of service attack.
The vulnerable version of HAProxy ranges from 2.0.0 to 2.7.0. Patch vulnerabilities in versions 2.5.11, 2.6.8, and 2.7.2. However, the fixed versions for 2.0.x to 2.4.x have yet to be released.
Comments