我們使用 cookie 來幫助我們改善網頁體驗。請閱讀我們的 Cookie 政策

AS-2023-001: Sudo

2023-02-20

Severity

Moderate

Status

Resolved


Statement

A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files. Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected.

CVE-2023-22809 affected ASUSTOR products with ADM 4.0 and later.

  • Sudo package has been updated on ADM 4.2.0.RE71 and ADM 4.0.6.REG2 to fix these potential vulnerabilities.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 Moderate Upgrade to 4.2.0.RE71 or above.
ADM 4.0 Moderate Upgrade to 4.0.6.REG2 or above.

Detail

  • CVE-2023-22809
    • Severity: Moderate
    • In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1.

Reference


Revision

Revision Date Description
1 2023-02-01 Initial public release.
2 2023-02-08 Release ADM 4.2.0.RE71 to update Sudo package for fixing these potential vulnerabilities.
3 2023-02-20 Release ADM 4.0.6.REG2 to update Sudo package for fixing these potential vulnerabilities.