HomeAboutMailing ListList Chatter /0/0

SUDO Update Now

2021-01-26 by: "Mike (meuon) Harrison"
From: "Mike (meuon) Harrison" 

Howdy Ya'll.

Multiple sources say you should update your systems ASAP.

Bad mojo in the sudo command, pretty much everywhere.

One of many many notices:


I just updated several systems that the only update was the 'sudo' command 
package. Ya'll probably should as well.

--meuon--  me as a subatomic particle sending this with 100% recycled electrons.

=============================================================== From: JustinMcAfee ------------------------------------------------------ All my mint installs rang their update bells today as well. Should be good on 20.1 Sent from ProtonMail mobile -------- Original Message --------

=============================================================== From: Dave Brockman ------------------------------------------------------ If ya'll haven't already, and you manage multiple systems.... salt * pkg.refresh_db salt * pkg.update dist_upgrade=3Dtrue is worth the time to invest learning for times like these... Cheers, -Dave -local-users-gain-root-privileges/

=============================================================== From: JustinMcAfee ------------------------------------------------------ Rtfm is an acceptable answer, but Ill ask anyway. The man page is thin, is this reading from KnownHosts? It doesnt appear to have a flag for ingesting a file? TIA Sent from ProtonMail mobile -------- Original Message --------

=============================================================== From: Nick Smith ------------------------------------------------------ Wait, you guys run other users besides root on your systems? :-)

=============================================================== From: Billy ------------------------------------------------------ So there is a mitigation, too, in case you=E2=80=99re unable to update right= away. =46rom Red Hat=E2=80=99s CVE page [1]: 1. Install required systemtap packages and dependencies:=20 systemtap yum-utils kernel-devel-"$(uname -r)" Then for RHEL 7 install kernel debuginfo, using: debuginfo-install -y kernel= -"$(uname -r)"=20 Then for RHEL 8 install sudo debuginfo, using: debuginfo-install sudo 2. Create the following systemtap script: (call the file as sudoedit-block.s= tap) probe process("/usr/bin/sudo").function("main") { command =3D cmdline_args(0,0,""); if (strpos(command, "edit") >=3D 0) { raise(9); } } 3. Install the script using the following command: (using root) # nohup stap -g sudoedit-block.stap & (This should output the PID number of the systemtap script) The mitigation won=E2=80=99t last through reboots, and to remove it, kill th= e $pid of the systemtap process (or reboot). 1: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002 --b -local-users-gain-root-privileges/

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Laughing.. because that let me off the hook for a bunch of systems that don't have a web server, mail server, etc.. and what little does run, runs as root or asterisk. So far, haven't figured out how to use that exploit with Asterisk. So far. Give me time. Luckily, my important stuff on the public that does, is constantly being upgraded and rebooted. Most, all they updated was 'sudo' and I remooted anywhere afterwards just 'cause I was there. But yeah, also have some "bespoke" things floating around the world still (and I do mean the world: other continents) that I know won't get updated and are on increasingly hostile local and public networks. Technically, most of these I don't have access to and am no longer responsible for, I wonder when the phone will ring anyway. Billy, thanks for your "hot to mitigate of you can't update..." I also have an increasing hypocritical (possibly worst offender evar?)) view that overly complex systems with dependencies (technical debt) that keeps you from doing core systems updates is part of the problem. ---- There are days I want to live in a cave, far far away from technology... and people. Maybe especially people. --Mike--

=============================================================== From: Dave Brockman ------------------------------------------------------ Salt server maintains its own database of registered minions. * will match all of them. In practice, I more often use it like this: salt -G roles:unifi pkg.refresh_db salt -G roles:unifi pkg.upgrade dist_upgrade=3Dtrue salt -G roles:dns salt -G roles:http so on and so forth. I barely scratch the surface of what can be done, but for managing armies of boxes, it's a sanity saver (not to mention tim= e). Cheers! -Dave * ime lets-local-users-gain-root-privileges/

=============================================================== From: Dave Brockman ------------------------------------------------------ I have a lot of single purpose appliance VMs that only have users besides root for the services/applications that created and run them. NTP servers, backup proxies, firewalls, I think I've retired all the storage systems..... I only access via (keyed) root, and most don't have sudo installed. (The backup proxies do, hard requirement to install the software). I agree that you fscked up if you can't update your systems. Whether it's an uptime issue, dependency issue, whatever, someone screwed a pooch somewhere along the way. Reminds me, I have a mail server that needs to be migrated..... Cheers, -Dave g t =2E

=============================================================== From: Nick Smith ------------------------------------------------------ I was pleasantly surprised to find out that my personal web server running ubuntu had already patched itself. Ive allowed it to self patch security updates when i installed it years ago since it wasn't an uptime priority, but i can say i've never had it hose a server because of it. Kinda just works like its supposed to. (knock on wood)