Asustor Security Advisory AS-2023-001: Sudo
Sudo package updated on ADM 4.2.0.RE71 NAS OS to fix these potential vulnerabilities
This is a Press Release edited by StorageNewsletter.com on February 21, 2023 at 2:01 pmAsustor, Inc. had published a security advisory concerning CVE-2023-22809 affected its products with ADM 4.0 NAS OS and later.
Severity: Moderate
Status: Ongoing
Statement
A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files. Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected.
CVE-2023-22809 affected Asustor products with ADM 4.0 NAS OS and later.
-
Sudo package has been updated on ADM 4.2.0.RE71 to fix these potential vulnerabilities.
Affected products
|
Product |
Severity |
Fixed release availability |
|---|---|---|
|
ADM 4.2 |
Moderate |
Upgrade to 4.2.0.RE71 or above. |
|
ADM 4.0 |
Moderate |
Ongoing |
Detail:
- CVE-2023-22809
- Severity: Moderate
- In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1.
Reference:
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2023-02-01 |
Initial public release. |
|
2 |
2023-02-08 |
Release ADM 4.2.0.RE71 to update Sudo package for fixing these potential vulnerabilities. |
Subscribe to our free daily newsletter
