CVE-2019-19234
Summary
| CVE | CVE-2019-19234 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-12-19 21:15:00 UTC |
| Updated | 2023-11-07 03:07:00 UTC |
| Description | ** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Sudo Development Releases | CONFIRM | www.sudo.ws | Vendor Advisory |
| Photon OS 1.0: Sudo PHSA-2020-1.0-0264 | Tenable® | MISC | www.tenable.com | |
| [SECURITY] Fedora 32 Update: sudo-1.9.0-0.1.b1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 31 Update: sudo-1.9.0-0.1.b1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Errorpage | MISC | www.bsi.bund.de | |
| CVE-2019-19234 | SUSE | CONFIRM | www.suse.com | |
| December 2019 Sudo Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Cisco Bug: CSCvs58104 - [ciam] Sudo Blocked User Impersonation Vulnerability | MISC | quickview.cloudapps.cisco.com | |
| Oracle Solaris Third Party Bulletin - April 2020 | CONFIRM | www.oracle.com | |
| Red Hat Customer Portal | CONFIRM | access.redhat.com | |
| Sudo Stable Release | MISC | www.sudo.ws | Vendor Advisory |
| LIN1019-3816 - Security Advisory - sudo - CVE-2019-19234 | MISC | support2.windriver.com | |
| Cisco Bug: CSCvs58473 - Multiple Vulnerabilities in sudo | MISC | quickview.cloudapps.cisco.com | |
| Cisco Bug: CSCvs58979 - Multiple Vulnerabilities in sudo | MISC | quickview.cloudapps.cisco.com | |
| [SECURITY] Fedora 32 Update: sudo-1.9.0-0.1.b1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| LIN1018-5505 - Security Advisory - sudo - CVE-2019-19234 | MISC | support2.windriver.com | |
| Cisco Bug: CSCvs58772 - Multiple Vulnerabilities in sudo | MISC | quickview.cloudapps.cisco.com | |
| CVE-2019-19234 | CONFIRM | support2.windriver.com | |
| Bug Not Available | MISC | quickview.cloudapps.cisco.com | |
| Bug Not Available | MISC | quickview.cloudapps.cisco.com | |
| [SECURITY] Fedora 31 Update: sudo-1.9.0-0.1.b1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.