Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0106

Overview

Vulnerability Score 6.6 6.6
CVE Id CVE-2014-0106
Last Modified 17 Aug 2015 09:59:27
Published 11 Mar 2014 03:37:03
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2014-0106

Summary

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

Vulnerable Systems

Application

  • Todd Miller Sudo 1.6.9

  • Todd Miller Sudo 1.6.9p20

  • Todd Miller Sudo 1.6.9p21

  • Todd Miller Sudo 1.6.9p22

  • Todd Miller Sudo 1.6.9p23

  • Todd Miller Sudo 1.7.0

  • Todd Miller Sudo 1.7.1

  • Todd Miller Sudo 1.7.10

  • Todd Miller Sudo 1.7.10p1

  • Todd Miller Sudo 1.7.10p10

  • Todd Miller Sudo 1.7.10p2

  • Todd Miller Sudo 1.7.10p3

  • Todd Miller Sudo 1.7.10p4

  • Todd Miller Sudo 1.7.10p5

  • Todd Miller Sudo 1.7.10p6

  • Todd Miller Sudo 1.7.10p7

  • Todd Miller Sudo 1.7.10p8

  • Todd Miller Sudo 1.7.10p9

  • Todd Miller Sudo 1.7.2

  • Todd Miller Sudo 1.7.2p1

  • Todd Miller Sudo 1.7.2p2

  • Todd Miller Sudo 1.7.2p3

  • Todd Miller Sudo 1.7.2p4

  • Todd Miller Sudo 1.7.2p5

  • Todd Miller Sudo 1.7.2p6

  • Todd Miller Sudo 1.7.2p7

  • Todd Miller Sudo 1.7.3b1

  • Todd Miller Sudo 1.7.4

  • Todd Miller Sudo 1.7.4p1

  • Todd Miller Sudo 1.7.4p2

  • Todd Miller Sudo 1.7.4p3

  • Todd Miller Sudo 1.7.4p4

  • Todd Miller Sudo 1.7.4p5

  • Todd Miller Sudo 1.7.4p6

  • Todd Miller Sudo 1.7.5

  • Todd Miller Sudo 1.7.6

  • Todd Miller Sudo 1.7.6p1

  • Todd Miller Sudo 1.7.6p2

  • Todd Miller Sudo 1.7.7

  • Todd Miller Sudo 1.7.8

  • Todd Miller Sudo 1.7.8p1

  • Todd Miller Sudo 1.7.8p2

  • Todd Miller Sudo 1.7.9

  • Todd Miller Sudo 1.7.9p1

  • Todd Miller Sudo 1.8.0

  • Todd Miller Sudo 1.8.1

  • Todd Miller Sudo 1.8.1p1

  • Todd Miller Sudo 1.8.1p2

  • Todd Miller Sudo 1.8.2

  • Todd Miller Sudo 1.8.3

  • Todd Miller Sudo 1.8.3p1

  • Todd Miller Sudo 1.8.3p2

  • Todd Miller Sudo 1.8.4

  • Todd Miller Sudo 1.8.4p1

  • Todd Miller Sudo 1.8.4p2

  • Todd Miller Sudo 1.8.4p3

  • Todd Miller Sudo 1.8.4p4

  • Todd Miller Sudo 1.8.4p5


References

CONFIRM - http://www.sudo.ws/sudo/alerts/env_add.html

MLIST - [oss-security] 20140305 sudo: security policy bypass when env_reset is disabled

UBUNTU - USN-2146-1

REDHAT - RHSA-2014:0266

CONFIRM - https://support.apple.com/kb/HT205031

APPLE - APPLE-SA-2015-08-13-2


Last Updated: 27 May 2016 11:04:37