[QSA-0128211] Sudo vulnerabilities
Qlustar Security Advisory 0128211
January 28th, 2021
Summary:
This update includes a fix for the dangerous sudo vulnerabilty (Baron Samedit) that allows root access for any local user. You should update your cluster as soon as possible. If sudo is not used on your cluster nodes, you can also make the sudo binary non-executable on all cluster (net-boot) nodes (via
chmod a-x /usr/bin/sudo) and just update the sudo package on the head-node(s) to have immediate protection without the need for updating and possibly rebooting cluster nodes.
Package(s) : sudo, qlustar-module-core-xenial-amd64-10.1.1, qlustar-module-core-bionic-amd64-11.0.1, qlustar-module-core-centos7-amd64-11.0.1, qlustar-module-core-centos8-amd64-11.0.1, qlustar-module-core-focal-amd64-12.0.0, qlustar-module-core-centos7-amd64-12.0.0, qlustar-module-core-centos8-amd64-12.0.0 Qlustar releases : 10.1, 11.0, 12.0 Affected versions: All versions prior to this update Vulnerability : privilege escalation Problem type : Local Qlustar-specific : no CVE Id(s) : CVE-2021-3156, CVE-2021-23239
Relevant to Qlustar 12.0 and 11.0 and 10.1
Sudo vulnerabilities
It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account.
It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not.
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Instructions):
For Qlustar 12.0
sudo 1.8.31-1ubuntu1.2 qlustar-module-core-focal-amd64-12.0.0 12.0.0.1.1-b529f1342 qlustar-module-core-centos7-amd64-12.0.0 12.0.0.1.1-b529f1342 qlustar-module-core-centos8-amd64-12.0.0 12.0.0.1.1-b529f1342
For Qlustar 11.0
sudo 1.8.21p2-3ubuntu1.4 qlustar-module-core-bionic-amd64-11.0.1 11.0.1.5.1-b527f1343 qlustar-module-core-centos7-amd64-11.0.1 11.0.1.5.1-b527f1343 qlustar-module-core-centos8-amd64-11.0.1 11.0.1.5.1-b527f1343
For Qlustar 10.1
sudo 1.8.16-0ubuntu1.10 qlustar-module-core-xenial-amd64-10.1.1 10.1.1.17.1-b521f1345