March 5, 2014
If the env_reset
option is disabled in the sudoers file,
a malicious user with sudo permissions may be able to run arbitrary
commands with elevated privileges by manipulating the environment
of a command the user is legitimately allowed to run.
Sudo versions affected:
Sudo 1.6.9 through 1.8.4p5 inclusive. Sudo 1.8.5 and higher are
This vulnerability has been assigned CVE-2014-0106
in the Common Vulnerabilities and
Sudo has two methods of constructing the environment that the command
run by it will use. The default method (since sudo 1.6.9) is to
execute the command with a new, minimal environment. The new
environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME,
USER, USERNAME, SUDO_COMMAND, SUDO_USER, SUDO_UID and SUDO_GID
variables in addition to variables from the invoking process permitted
by the env_check
options. This is
effectively a whitelist for environment variables.
If, however, the env_reset option is disabled, any variables
not explicitly denied by the env_check and env_delete
options are inherited from the invoking process. In this case,
env_check and env_delete behave like a blacklist.
Since it is not possible to blacklist all potentially dangerous
environment variables, use of the default env_reset behavior
Beginning with sudo 1.6.9, it is also possible to specify extra
environment variables on the command line. These variables are
supposed to be subject to the same restrictions as the invoking
user's environment, unless the user is allowed to set arbitrary
variables either via the SETENV attribute or by virtue of having
Due to a logic bug in the validate_env_vars() function, if the
env_reset option is disabled, environment variables specified
on the command line are permitted when they should not be (and vice
versa). This can be used by a malicious user to run arbitrary
programs by manipulating the environment of a command the user is
legitimately allowed to run. For example, on many systems the
LD_PRELOAD environment variable is used to load a dynamic
shared object before any shared libraries are loaded. By either
replacing a library function called by the program, or by including
an _init() function in the shared object, the user can execute
arbitrary commands with elevated privileges.
The code that contains the bug was rewritten for sudo 1.8.5, which
does not suffer from the same security issue.
For sudo versions prior to 1.8.5, if the env_reset
is explicitly disabled in the sudoers file, a malicious user with
sudo permissions may be able to run arbitrary commands with elevated
privileges. There is no impact for sudo 1.8.5 and higher, or when
the sudoers file does not disable env_reset
A fix for the sudo 1.7.x branch is included in sudo 1.7.10p8. The
actual fix is a
change to env.c
. Sudo versions 1.8.5 and higher are not vulnerable.
Only systems with sudoers files that explicitly disable env_reset
are affected. As such, a simple workaround is to simply not disable
, which is the default behavior.
I'd like to thank Sebastien Macke for reporting this bug and providing