homeblogfind fix sudo vulnerability cve 2019 18634

Find and fix CVE-2019-18634 sudo vulnerability with Puppet Remediate

On 30 January 2020 a new vulnerability was announced in Sudo that allows a user with sudo access to trigger a stack-based buffer overflow if pwfeedback is enabled.

At Puppet, our security team found and fixed this vulnerability on all our systems instantly using our own vulnerability management solution, Puppet Remediate. Learn how you can too:

Find it (CVE-2019-18634, sudo vulnerability)

First of all, you need to find which systems contain vulnerable versions of Sudo below 1.8.25p1. This version number will vary based on vendor. For example, on Debian Stretch the vulnerable version will be 1.8.19p1-2.1 and this vulnerability will be fixed in version 1.8.19p1-2.1+deb9u2. (https://security-tracker.debian.org/tracker/CVE-2019-18634). Check your vendor for this versioning information.

In Puppet Remediate this is a single command:

  1. Open Run Tasks
  2. Run the following shell command: sudo -V | grep "^Sudo version"
jan  puppet remediate image
  1. Select all your nodes
  2. Run the command and view the output to find any system running the vulnerable Sudo version.
jan  puppet remediate image

Fix it (CVE-2019-18634, sudo vulnerability)

  1. On the boxes you find to be potentially vulnerable, run the following task.
  2. Select Run Task > Manage Package > Upgrade > sudo
jan  puppet remediate image
  1. Select one node, or all affected nodes, and Run the Task.
jan  puppet remediate image
  1. Verify the fix. Check Sudo was upgraded to the version you expected.
jan  puppet remediate image

Don’t have Puppet Remediate? Here’s how to do it manually or with Bolt

We want to help the community even if you don’t have Puppet Remediate, so here’s the commands to do this yourself manually, or you can use our open source tool Bolt.

Run this command against your Linux boxes:

List all the boxes that have versions 1.8.25p1 and below (or corresponding fix version for your OS). Then upgrade the potentially vulnerable ones by running either apt-get or yum:

You will need to run this against each vulnerable box, or write a script to perform all the updates.

Learn more