OSG-SEC-2023-01-24 HIGH sudoedit privilege escalation
Dear OSG Security Contacts,
A vulnerability was found in the sudo package (CVE-2023-22809) . An exposure in how sudoedit handles user-provided environment variables can lead to arbitrary file writing with privileges of the RunAs user (usually root) .
Sudo versions 1.8.0 through 1.9.12.p1
WHAT ARE THE VULNERABILITIES:
In Sudo, before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
WHAT YOU SHOULD DO:
Install the updated sudo packages for your systems. Patched packages are available for all RHEL versions and most other major distributions.
Alternatively, the problem may be mitigated. It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file:
Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"
To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example:
Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD
Even if applying the mitigation, the affected packages should still be updated as soon as possible.
Sites running RHEL should see 
Sites running CentOS should also see 
Sites running Ubuntu should see 
Sites running Scientific Linux should see 
Sites running Debian should see 
Sites running RockyLinux should see 
Sites running Almalinux should see 
Please contact the OSG security team at sec[email protected] if you have any questions or concerns.
OSG Security Team