Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-22334: Is Centrify dzdo affected by vulnerability CVE-2019-14287?

Authentication Service ,  

16 October,19 at 09:28 AM

Applies to: All version of Centrify Infrastructure Service

Question:

Is Centrify dzdo affected by the vulnerability CVE-2019-14287?

Reference:
https://www.sudo.ws/alerts/minus_1_uid.html

Answer:

Centrify dzdo has its own policy settings which is the DirectAuthorize Command settings, in which we set the dzdo_runas for the user/group runas settings of the command, such setting is specific, allowing only exact name / id / SELF / ALL.

While dzdo will always check the validity of the target user / group if they are not SELF / ALL, so Centrify dzdo will not fail into such breach trick.

As a quick example below:
  1. We can setup dzcmd to run command 'id' as only SELF:
Privileged commands:
  Name              Command    Path       Run As  Auth   Exec  Source Roles
  ---------------   ---------- ---------  ------- ----- -----  --------------------
  id/ng_child       id         User       #       Self   Yes   UNIX Login/ng_child
  1. While setup the sudo sudoers file to run 'id' as ALL but root:
smk2k12r2-test1   ALL=(ALL, !root)       PASSWD: /usr/bin/id
  1. Now check on the sudo and dzdo version:
sudo -V
Sudo version 1.8.23
 
dzdo -V
Dzdo version 5.6.0-209(based on Sudo version 1.8.20p2)
  1. Due to the vulnerability, sudo can be hacked to run as root:

    sudo -u \#-1 id
    [sudo] password for smk2k12r2-test1:
    uid=0(root) gid=10000(unixgroup) groups=10000(unixgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    
    
  2. As shown below, dzdo is not affected:
dzdo -u \#-1 id
Sorry, user smk2k12r2-test1 is not allowed to execute '/bin/id' as #-1 on numenor.
  1. If we look into detail, we can see dzdo did real id checking for the UID and denied as below:

    Oct 15 13:39:14 localhost dzdo[56797]: DEBUG dz.rights match(command = /bin/id, binary = /bin/id, as = #-1, checkSelf = false) against pattern = id
    .
    .
    
    Oct 15 13:39:14 localhost dzdo[56797]: DEBUG dz.rights   requested user #-1 not allowed for this command object

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.