CVE-2023-27320 - OpenCVE

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Sudo Project	Sudo

Configuration 1 [-]

OR	cpe:2.3:a:sudo_project:sudo::::::::
	cpe:2.3:a:sudo_project:sudo:1.9.13:-::::::
	cpe:2.3:a:sudo_project:sudo:1.9.13:p1::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/03/01/8
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU/
https://nvd.nist.gov/vuln/detail/CVE-2023-27320
https://security.gentoo.org/glsa/202309-12
https://security.netapp.com/advisory/ntap-20230413-0009/
https://www.cve.org/CVERecord?id=CVE-2023-27320
https://www.openwall.com/lists/oss-security/2023/02/28/1
https://www.sudo.ws/releases/stable/#1.9.13p2

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-02-28T00:00:00

Updated: 2024-08-02T12:09:42.882Z

Reserved: 2023-02-28T00:00:00

Link: CVE-2023-27320

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-28T18:15:10.547

Modified: 2023-11-07T04:09:54.090

Link: CVE-2023-27320

Redhat

Severity : Moderate

Publid Date: 2023-02-28T00:00:00Z

Links: CVE-2023-27320 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-27320", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T12:09:42.882Z", "dateReserved": "2023-02-28T00:00:00", "datePublished": "2023-02-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-09-29T13:06:19.949873"}, "descriptions": [{"lang": "en", "value": "Sudo before 1.9.13p2 has a double free in the per-command chroot feature."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2023/02/28/1"}, {"url": "https://www.sudo.ws/releases/stable/#1.9.13p2"}, {"name": "[oss-security] 20230301 Re: sudo: double free with per-command chroot sudoers rules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/03/01/8"}, {"name": "FEDORA-2023-d2d6ec2a32", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B/"}, {"name": "FEDORA-2023-11c9d868ca", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU/"}, {"name": "FEDORA-2023-cb5df36beb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6/"}, {"url": "https://security.netapp.com/advisory/ntap-20230413-0009/"}, {"name": "GLSA-202309-12", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202309-12"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:09:42.882Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.openwall.com/lists/oss-security/2023/02/28/1", "tags": ["x_transferred"]}, {"url": "https://www.sudo.ws/releases/stable/#1.9.13p2", "tags": ["x_transferred"]}, {"name": "[oss-security] 20230301 Re: sudo: double free with per-command chroot sudoers rules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/03/01/8"}, {"name": "FEDORA-2023-d2d6ec2a32", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B/"}, {"name": "FEDORA-2023-11c9d868ca", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU/"}, {"name": "FEDORA-2023-cb5df36beb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6/"}, {"url": "https://security.netapp.com/advisory/ntap-20230413-0009/", "tags": ["x_transferred"]}, {"name": "GLSA-202309-12", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202309-12"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FD49FC3-CC8E-4B40-B025-D4CEAD9225AF", "versionEndExcluding": "1.9.13", "versionStartIncluding": "1.9.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sudo_project:sudo:1.9.13:-:*:*:*:*:*:*", "matchCriteriaId": "D4CB860E-795E-4B23-A5B8-4AEA873994ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:sudo_project:sudo:1.9.13:p1:*:*:*:*:*:*", "matchCriteriaId": "55CC00CC-E4DD-40F3-8E89-93E04E8E0027", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sudo before 1.9.13p2 has a double free in the per-command chroot feature."}], "id": "CVE-2023-27320", "lastModified": "2023-11-07T04:09:54.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-28T18:15:10.547", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/03/01/8"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202309-12"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230413-0009/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2023/02/28/1"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.sudo.ws/releases/stable/#1.9.13p2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "sudo: double free with per-command chroot sudoers rules", "id": "2174218", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174218"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-415", "details": ["Sudo before 1.9.13p2 has a double free in the per-command chroot feature.", "A double-free vulnerability was found in Sudo in the per-command chroot feature. This flaw exists due to a boundary error when matching a sudoer rule that contains a per-command chroot directive (CHROOT=dir). By sending a specially-crafted request, a local privileged attacker can elevate privileges and execute arbitrary code on the system."], "name": "CVE-2023-27320", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "sudo", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "sudo", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "sudo", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "sudo", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-02-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-27320\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27320\nhttps://www.openwall.com/lists/oss-security/2023/02/28/1\nhttps://www.sudo.ws/releases/stable/#1.9.13p2"], "statement": "The CHROOT support was only added in Sudo v1.9.3 and Sudo v1.9.8 included a fix for a memory leak in the set_cmnd_path() function, which can result in the \"user_cmnd\" variable being freed twice, but only when processing a sudoers rule that contains a \"CHROOT\" setting. This does not affect the \"chroot\" Defaults setting. Only a per-rule \"CHROOT\" setting will trigger the bug.\nHence, it only affects Sudo v1.9.8 through to 1.9.13p1. \nRed Hat Enterprise Linux - 6, 7, 8, 9 are shipped with lower versions of Sudo that doesn't contains the vulnerable code. Thus, they are not affected.", "threat_severity": "Moderate", "upstream_fix": "sudo 1.9.13p2"}