February 27, 2013
When a user successfully authenticates with sudo, a time stamp file
is updated to allow that user to continue running sudo without
requiring a password for a preset time period (five minutes by
The user's time stamp file can be reset using "sudo -k" or removed
altogether via "sudo -K".
A user who has sudo access and is able to control the local clock
(common in desktop environments) can run a command via sudo without
authenticating as long as they have previously authenticated
themselves at least once by running "sudo -k" and then setting
the clock to the epoch (1970-01-01 01:00:00).
The vulnerability does not permit a user to run commands other than
those allowed by the sudoers policy.
Sudo versions affected:
Sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 inclusive.
This vulnerability has been assigned
in the Common
Vulnerabilities and Exposures
By default, sudo displays a lecture when the user's time stamp file
is not present. In sudo 1.6, the -k option was changed to reset
the time stamp file to the epoch rather than remove it to prevent
the lecture from being displayed the next time sudo was run.
No special case was added for handling a time stamp file set to the
epoch since the clock should never legitimately be set to that value.
However, there are two common ways for the clock to be reset to the
epoch. The first way is when the clock is reset due to a fully
drained battery on some systems. The other way is by a user logged
in to a desktop environment that allows changes to the date and time.
As long as the user has successfully run sudo before, they are able
to run "sudo -k" to reset the time stamp file. This action does
not require a password and is not logged. If the user is also able
to reset the date and time to the epoch (1970-01-01 01:00:00), they
will be able to run sudo without having to authenticate.
The flaw may allow someone with physical access to a machine that
is not password-protected to run sudo commands without knowing the
logged in user's password. On systems where sudo is the principal
way of running commands as root, such as on Ubuntu and Mac OS X,
there is a greater chance that the logged in user has run sudo
before and thus that an attack would succeed.
The bug is fixed in sudo 1.8.6p7 and 1.7.10p7. These versions
will ignore a time stamp file that is set to the epoch.
Using "sudo -K" instead of "sudo -k" will completely remove the
time stamp file instead of just resetting it.
I'd like to thank Marco Schoepl for finding and reporting this