Sudo vulnerability

Blackster · January 28, 2021, 10:49am

Hello! As you know, sudo vulnerability was found yesterday.
How can I fix it on my FreePBX 15.0.16.75 installed from FreePBX Distro ?
Firstly I run ‘yum update’ command. Then ‘yum install -y sudo’ but console says that “Package sudo-1.8.23-9.el7.x86_64 already installed and latest version Nothing to do”
Sudo 1.8.23 this is version with vulnerability.
If it is impossible to update sudo, can I remove sudo completely? Would be FreePBX works after removing?
Thank you!

BlazeStudios · January 28, 2021, 1:15pm

What is this vulnerability? You have something to link to? And a fix isnt happening under 24 hours.

Also dont mess with sudo

poodle · January 28, 2021, 1:29pm

Hi,

This is a serious vulnerability, more info:

A patch is needed urgently.

lgaetz · January 28, 2021, 1:43pm

A Distro fix will come from Centos upstream in time. I haven’t read details yet, but I assume this only affects those that allow ssh access to low privilege users. I can’t think of any reason why an unprivileged user would need ssh to a FreePBX system, so I assume this would be a very small fraction of FreePBX systems.

Add yourself as a watcher: https://issues.freepbx.org/browse/FREEPBX-22227

jerrm · January 28, 2021, 2:00pm

I don’t see any requirement for ssh or similar access. Any situation where code could be executed should be vulnerable,

jerrm · January 28, 2021, 2:02pm

Redhat has a workaround hack:

CVE-2021-3156- Red Hat Customer Portal

BlazeStudios · January 28, 2021, 2:50pm

Well while this needs to be patched I wouldn’t be losing sleep over it right now. It’s been around for 10 years and it requires the bad actor to get normal SSH access into the system before they can sudo anything. So this would require a low level user account to be added to the system and then SSH to be opened to the world for access.

I think the amount of actual FreePBX users that would be truly impacted by this is rather low. This sounds more like an issue for when you have 100 users on a box and only 5 should have sudo privileges and thanks to this bug those other 95 actually do have privileges whether I want them to or not.

nielsen · January 29, 2021, 5:19pm

One can download the latest sudo from the sudo site https://www.sudo.ws/download.html#binary
I’ve tested on one of my old CentOS 6 boxes and one CentOS 7 box and seems to be fine.

lgaetz · February 1, 2021, 8:35pm

The upstream fix for this is available now from the sng-pkgs repo. You can get it with a yum update

# yum list sudo
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
sudo.x86_64                     1.8.23-10.el7_9.1                      @sng-pkgs

Blackster · February 2, 2021, 1:34pm

Great! Thank you!

system · June 3, 2021, 11:03pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.