[QSA-0128211] Sudo vulnerabilities

Qlustar Security Advisory 0128211

January 28th, 2021

---

Summary:

This update includes a fix for the dangerous sudo vulnerabilty (Baron Samedit) that allows root access for any local user. You should update your cluster as soon as possible. If sudo is not used on your cluster nodes, you can also make the sudo binary non-executable on all cluster (net-boot) nodes (via

      chmod a-x /usr/bin/sudo
    

) and just update the sudo package on the head-node(s) to have immediate protection without the need for updating and possibly rebooting cluster nodes.

---

    Package(s)         : sudo,
                         qlustar-module-core-xenial-amd64-10.1.1,
                         qlustar-module-core-bionic-amd64-11.0.1,
                         qlustar-module-core-centos7-amd64-11.0.1,
                         qlustar-module-core-centos8-amd64-11.0.1,
                         qlustar-module-core-focal-amd64-12.0.0,
                         qlustar-module-core-centos7-amd64-12.0.0,
                         qlustar-module-core-centos8-amd64-12.0.0
    Qlustar releases : 10.1, 11.0, 12.0
    Affected versions: All versions prior to this update
    Vulnerability    : privilege escalation
    Problem type     : Local
    Qlustar-specific : no
    CVE Id(s)        : CVE-2021-3156, CVE-2021-23239
  

---

Relevant to Qlustar 12.0 and 11.0 and 10.1

Sudo vulnerabilities

It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account.

It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Instructions):

For Qlustar 12.0

    sudo                                       1.8.31-1ubuntu1.2
    qlustar-module-core-focal-amd64-12.0.0     12.0.0.1.1-b529f1342
    qlustar-module-core-centos7-amd64-12.0.0   12.0.0.1.1-b529f1342
    qlustar-module-core-centos8-amd64-12.0.0   12.0.0.1.1-b529f1342
  

For Qlustar 11.0

    sudo                                       1.8.21p2-3ubuntu1.4
    qlustar-module-core-bionic-amd64-11.0.1    11.0.1.5.1-b527f1343
    qlustar-module-core-centos7-amd64-11.0.1   11.0.1.5.1-b527f1343
    qlustar-module-core-centos8-amd64-11.0.1   11.0.1.5.1-b527f1343
  

For Qlustar 10.1

    sudo                                       1.8.16-0ubuntu1.10
    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.17.1-b521f1345