CVE-2023-22809
Published: 18 January 2023
Summary
CVE-2023-22809 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Sudo Project Sudo. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
In Sudo versions 1.8.0 through 1.9.12p1, the sudoedit feature fails to properly sanitize additional arguments supplied via the SUDO_EDITOR, VISUAL, or EDITOR environment variables. A user-specified editor value containing a "--" separator can bypass an existing protection and cause arbitrary file paths to be appended to the list of files sudoedit will process, resulting in unintended file operations under elevated privileges.
A local attacker who is already permitted to run sudoedit can set one of the affected environment variables to include a crafted editor command. This grants the ability to modify or create arbitrary files as root, enabling straightforward privilege escalation on the affected system.
Public exploit code and technical analyses have been published through channels such as Packet Storm and OpenWall, confirming working proof-of-concept attacks against vulnerable installations. The associated EPSS score rose from lower values after disclosure to a peak of 0.5510 before receding to the current 0.4437, indicating measurable post-disclosure exploitation interest. Upgrading to Sudo 1.9.12p2 or later eliminates the flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26921
Vulnerability details
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead…
more
to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.