Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title sudo security update
Informations
Name DSA-4614 First vendor Publication 2020-02-01
Vendor Debian Last vendor Modification 2020-02-01
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.6 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges.

Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html .

For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2.

For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo

Original Source

Url : http://www.debian.org/security/2020/dsa-4614

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 68
Os 3

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-05-23 13:03:43
  • Multiple Updates
2020-02-01 17:18:29
  • First insertion