Rapid7 Vulnerability & Exploit Database

Amazon Linux AMI: CVE-2019-14287: Security patch for sudo (ALAS-2019-1309)

Back to Search

Amazon Linux AMI: CVE-2019-14287: Security patch for sudo (ALAS-2019-1309)

Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
10/14/2019
Created
10/17/2019
Added
10/15/2019
Modified
01/21/2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From ALAS-2019-1309:

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. (CVE-2019-14287)

Further details can be found here: https://www.sudo.ws/alerts/minus_1_uid.html

Solution(s)

  • amazon-linux-upgrade-sudo

References

  • amazon-linux-upgrade-sudo

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;