Sudo vulnerability


(Blackster) #1

Hello! As you know, sudo vulnerability was found yesterday.
How can I fix it on my FreePBX 15.0.16.75 installed from FreePBX Distro ?
Firstly I run ‘yum update’ command. Then ‘yum install -y sudo’ but console says that “Package sudo-1.8.23-9.el7.x86_64 already installed and latest version Nothing to do”
Sudo 1.8.23 this is version with vulnerability.
If it is impossible to update sudo, can I remove sudo completely? Would be FreePBX works after removing?
Thank you!


(Tom Ray) #2

What is this vulnerability? You have something to link to? And a fix isnt happening under 24 hours.

Also dont mess with sudo


(Poodle) #3

Hi,

This is a serious vulnerability, more info:


A patch is needed urgently.


(Lorne Gaetz) #4

A Distro fix will come from Centos upstream in time. I haven’t read details yet, but I assume this only affects those that allow ssh access to low privilege users. I can’t think of any reason why an unprivileged user would need ssh to a FreePBX system, so I assume this would be a very small fraction of FreePBX systems.

Add yourself as a watcher: https://issues.freepbx.org/browse/FREEPBX-22227


#5

I don’t see any requirement for ssh or similar access. Any situation where code could be executed should be vulnerable,


#6

Redhat has a workaround hack:

CVE-2021-3156- Red Hat Customer Portal


(Tom Ray) #7

Well while this needs to be patched I wouldn’t be losing sleep over it right now. It’s been around for 10 years and it requires the bad actor to get normal SSH access into the system before they can sudo anything. So this would require a low level user account to be added to the system and then SSH to be opened to the world for access.

I think the amount of actual FreePBX users that would be truly impacted by this is rather low. This sounds more like an issue for when you have 100 users on a box and only 5 should have sudo privileges and thanks to this bug those other 95 actually do have privileges whether I want them to or not.


#8

One can download the latest sudo from the sudo site https://www.sudo.ws/download.html#binary
I’ve tested on one of my old CentOS 6 boxes and one CentOS 7 box and seems to be fine.


(Lorne Gaetz) #9

The upstream fix for this is available now from the sng-pkgs repo. You can get it with a yum update

# yum list sudo
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
sudo.x86_64                     1.8.23-10.el7_9.1                      @sng-pkgs

(Blackster) #10

Great! Thank you!