The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

CVE-2019-18634: sudo 1.7.1 <= version < 1.8.26 vulnerable when pwfeedback set (query for RHEL/CENTOS)

Description: This query looks for vulnerable versions of SUDO on rpm-based systems that also have the "pwfeedback" setting in /etc/sudoers or /etc/sudoers.d, per CVE-2019-18634.

Sample results: 

The query will show systems that are vulnerable to CVE-2019-18634, with PoC at https://github.com/Plazmaz/CVE-2019-18634:

+------+---------+----------+-----------------------+
| name | version | release  | vulnerable_config_set |
+------+---------+----------+-----------------------+
| sudo | 1.8.6p3 | 29.el6_9 | pwfeedback            |
+------+---------+----------+-----------------------+

SQL:

select name, version, release,
  label as vulnerable_config_set
from rpm_packages as a,
  ( select * from augeas where (
    path in (select path from file where path like '/etc/sudoers.d/%')
    or path = '/etc/sudoers' )
  ) as sudoers
where a.name = 'sudo'
  and cast(split(a.version, ".", 0) as int) = 1
  and cast(split(a.version, ".", 1) as int) between 7 and 8
  and cast(split(a.version, ".", 2) as int) < 26
  and sudoers.label = 'pwfeedback'
limit 1;

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved

Excellent!!