Vulnerability   
Search   
    Search 211766 CVE descriptions
and 97459 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.4.2013.1594.1
Category:SuSE Local Security Checks
Title:SUSE: Security Advisory (SUSE-SU-2013:1594-1)
Summary:The remote host is missing an update for the 'sudo' package(s) announced via the SUSE-SU-2013:1594-1 advisory.
Description:Summary:
The remote host is missing an update for the 'sudo' package(s) announced via the SUSE-SU-2013:1594-1 advisory.

Vulnerability Insight:
This LTSS rollup update fixes the following security issues which allowed to bypass the sudo authentication:

*

CVE-2013-1775: sudo allowed local users or physically-proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.

*

CVE-2013-1776: sudo, when the tty_tickets option is enabled, did not properly validate the controlling terminal device, which allowed local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal.

*

CVE-2013-2776: sudo, when running on systems without
/proc or the sysctl function with the tty_tickets option enabled, did not properly validate the controlling terminal device, which allowed local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal.

*

CVE-2013-2777: sudo, when the tty_tickets option is enabled, did not properly validate the controlling terminal device, which allowed local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to a standard input, output, and error file descriptors of another terminal.

Also a non-security bug was fixed:

* set global ldap option before ldap init (bnc#760697)

Security Issue references:

* CVE-2013-1775
>
* CVE-2013-1776
>
* CVE-2013-2776
>
* CVE-2013-2777
>

Affected Software/OS:
'sudo' package(s) on SUSE Linux Enterprise Server 11 SP1

Solution:
Please install the updated package(s).

CVSS Score:
6.9

CVSS Vector:
AV:L/AC:M/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-1775
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
BugTraq ID: 58203
http://www.securityfocus.com/bid/58203
Debian Security Information: DSA-2642 (Google Search)
http://www.debian.org/security/2013/dsa-2642
http://www.openwall.com/lists/oss-security/2013/02/27/22
http://osvdb.org/90677
RedHat Security Advisories: RHSA-2013:1353
http://rhn.redhat.com/errata/RHSA-2013-1353.html
RedHat Security Advisories: RHSA-2013:1701
http://rhn.redhat.com/errata/RHSA-2013-1701.html
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.517440
SuSE Security Announcement: openSUSE-SU-2013:0495 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-03/msg00066.html
http://www.ubuntu.com/usn/USN-1754-1
Common Vulnerability Exposure (CVE) ID: CVE-2013-1776
BugTraq ID: 58207
http://www.securityfocus.com/bid/58207
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701839
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023
https://bugzilla.redhat.com/show_bug.cgi?id=916365
http://www.openwall.com/lists/oss-security/2013/02/27/31
XForce ISS Database: sudo-ttytickets-sec-bypass(82453)
https://exchange.xforce.ibmcloud.com/vulnerabilities/82453
Common Vulnerability Exposure (CVE) ID: CVE-2013-2776
BugTraq ID: 62741
http://www.securityfocus.com/bid/62741
Common Vulnerability Exposure (CVE) ID: CVE-2013-2777
CopyrightCopyright (C) 2021 Greenbone Networks GmbH

This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.