Find and fix CVE-2019-18634 sudo vulnerability with Puppet Remediate

See more posts about: Tips & How To

On 30 January 2020 a new vulnerability was announced in Sudo that allows a user with sudo access to trigger a stack-based buffer overflow if pwfeedback is enabled.

At Puppet, our security team found and fixed this vulnerability on all our systems instantly using our own vulnerability management solution, Puppet Remediate. Learn how you can too:

Find it (CVE-2019-18634, sudo vulnerability)

First of all, you need to find which systems contain vulnerable versions of Sudo below 1.8.25p1. This version number will vary based on vendor. For example, on Debian Stretch the vulnerable version will be 1.8.19p1-2.1 and this vulnerability will be fixed in version 1.8.19p1-2.1+deb9u2. (https://security-tracker.debian.org/tracker/CVE-2019-18634). Check your vendor for this versioning information.

In Puppet Remediate this is a single command:

  1. Open Run Tasks
  2. Run the following shell command: sudo -V | grep "^Sudo version"
  1. Select all your nodes
  2. Run the command and view the output to find any system running the vulnerable Sudo version.

Fix it (CVE-2019-18634, sudo vulnerability)

  1. On the boxes you find to be potentially vulnerable, run the following task.
  2. Select Run Task > Manage Package > Upgrade > sudo
  1. Select one node, or all affected nodes, and Run the Task.
  1. Verify the fix. Check Sudo was upgraded to the version you expected.

Don’t have Puppet Remediate? Here’s how to do it manually or with Bolt

We want to help the community even if you don’t have Puppet Remediate, so here’s the commands to do this yourself manually, or you can use our open source tool Bolt.

Run this command against your Linux boxes:

1
sudo -V | grep "^Sudo version"

List all the boxes that have versions 1.8.25p1 and below (or corresponding fix version for your OS). Then upgrade the potentially vulnerable ones by running either apt-get or yum:

1
apt-get upgrade sudo

You will need to run this against each vulnerable box, or write a script to perform all the updates.

Learn more

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.