Built off the open source project Osquery
Description: This query looks for vulnerable versions of SUDO on rpm-based systems that also have the "pwfeedback" setting in /etc/sudoers or /etc/sudoers.d, per CVE-2019-18634.
Sample results:
The query will show systems that are vulnerable to CVE-2019-18634, with PoC at https://github.com/Plazmaz/CVE-2019-18634:
+------+---------+----------+-----------------------+
| name | version | release | vulnerable_config_set |
+------+---------+----------+-----------------------+
| sudo | 1.8.6p3 | 29.el6_9 | pwfeedback |
+------+---------+----------+-----------------------+
SQL:
select name, version, release,
label as vulnerable_config_set
from rpm_packages as a,
( select * from augeas where (
path in (select path from file where path like '/etc/sudoers.d/%')
or path = '/etc/sudoers' )
) as sudoers
where a.name = 'sudo'
and cast(split(a.version, ".", 0) as int) = 1
and cast(split(a.version, ".", 1) as int) between 7 and 8
and cast(split(a.version, ".", 2) as int) < 26
and sudoers.label = 'pwfeedback'
limit 1;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.