VDB
KO
HIGH

GHSA-8w6w-23mq-h8rg

Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments

Details

### Summary In the [Debian.sudoers](https://github.com/Linuxfabrik/monitoring-plugins/blob/main/assets/sudoers/Debian.sudoers) file, `apt-get` is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user:

### PoC By choosing a particular argument, you can get (as a nagios user) a root shell: ``` sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh" ``` Since the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root.

### Impact The vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).

### Fix Since only one place where `apt-get` is currently used (in [deb-updates](https://github.com/Linuxfabrik/monitoring-plugins/blob/998302a5fb43e89df1359f4cbb6558f81c96ae4f/check-plugins/deb-updates/deb-updates#L124)) was found, it should be enough to allow only the specific arguments used there.

Here an example how the line in the sudoers file could look like: ``` /usr/lib64/nagios/plugins/strongswan-connections,\ /usr/lib64/nagios/plugins/systemd-unit,\ /usr/bin/apt-get update --quiet 2 ```

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / linuxfabrik-lib
Introduced in: 0 Fixed in: 5.1.0
Fix pip install --upgrade 'linuxfabrik-lib>=5.1.0'

References