shortly after the blog post CU 196 is ready for testing (Release notes stating a package update for sudo to v1.9.17) I stumbled across the following news.
Is IPFire even affected here, since articles on this CVE only mention multi-user systems?
Many thanks for your excellent work … your doing an amazing job!
Regards
Yes, I have that package to do an update for but I wouldn’t worry about it.
The CVE is one that enables local privilege escalation to root.
local means that the attacker needs to be on the console or accessing via the ssh using a user other than root. By default IPFire only has the login user root for the console so there is no non-root user to login via and if the attacker had logged in via root then your system is already lost.
There are two situations, one where the command sudo -h is used and the other where sudo -R (chroot) is used. Neither of these options is used in IPFire.
For any attacker to be able to use these then the sudoers file would also have to have entries for local users to allow them to get sudo escalation.
So I don’t believe it will be an actual threat to IPFire users.
However there is an update package available sudo-1.9.17p1 and this will get submitted. As CU196 has only just been released for Testing then I suspect the updated sudo package will likely get merged into CU196 Testing.
I appreciate that people are following what severe vulnerabilities are out there and patch their systems accordingly.
In IPFire, we are very often not directly affected by any of these. Even though they are real and bad security issues. That is because the firewall is only running its own code. There should be no third-party software running, and there are no other user accounts than root itself. So in this very case, there won’t be a less-privileged user who can become root in the first place. Not through the way that is referred to in the vulnerability report.
What could happen is that someone exploits some software that is running on the firewall as a non-privileged user. That way, it might be easier to elevate privileges for an attacker. But at that point, the firewall would already be considered compromised.
We will always patch those problems. But we won’t drop everything immediately and push out an emergency release. For a long time, nothing has been severe enough to warrant that mountain of extra work and we need to balance developer time against security benefit at the end of the day.
That’s almost what came to mind when I read more on this subject.
But at some point, I just couldn’t estimate for myself to what extent this could affect IPFire at all - #BrainAFK#
Than thought it can’t hurt to ask the professionals here - better safe than sorry
Thank you once again - and a pleasant rest of the week