#VU50299 Incorrect permission assignment for critical resource - CVE-2019-25016

Cybersecurity Help s.r.o.

Published: 2021-02-03

Vulnerability identifier: #VU50299

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-25016

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

Mitigation
Install update from vendor's website.

External links
https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168
https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d
https://github.com/Duncaen/OpenDoas/issues/45
https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for OpenDoas

Arch Linux update for opendoas

Incorrect permission assignment for critical resource in doas (Alpine package)