Title: Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
Severity: MODERATE
Description:
The 'sudo' utility is a widely used Linux/UNIX command that allows users to securely run commands as the superuser or as other users. Kerberos is a centrally controlled network-authentication protocol.
The 'sudo' utility is prone to a local authentication-bypass weakness when used in conjunction with Kerberos. Attackers must first gain local, interactive access to a computer running sudo configured to authenticate via Kerberos. They may do this by exploiting other latent vulnerabilities.
Specifically, this issue occurs because the software fails to properly handle a missing service key error in the 'verify_krb_v5_tgt()' function in the 'auth/kerb5.c' source file.
For computers that have been configured to act as a Kerberos 5 client, a missing service key means that the 'sudo' utility cannot properly authenticate Kerberos KDC servers. This allows attackers to host a fake KDC that responds with successful authentication to all requests.
When exploiting this issue on computers where 'sudo' is linked with the MIT Kerberos 5 implementation, attackers may set environment variables to force this error condition, facilitating the authentication bypass even when Kerberos has not been configured in a vulnerable manner.
Successfully exploiting this issue allows local attackers to bypass sudo's authentication prompt, allowing them to perform actions that are granted to users via the 'sudoers' file.
This issue affects 'sudo' 1.6.8p12; other versions may also be affected.
Affected Products:
- Todd Miller Sudo 1.6.8 p12
References:
- Todd Miller: CVS log for sudo/auth/kerb5.c
- Todd Miller: Sudo Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
