On January 18th, 2023, Synacktiv publicly released an advisory about a new vulnerability for sudo (CVE-2023-22809). This vulnerability allows users to elevate their privileges by editing unauthorized files, such as system files containing passwords. It requires two conditions to be met before it can be exploited. The first condition is that the sudoers policy (or in other words, the system policy for super user elevation) must allow users to edit any individual file on the system using sudoedit or sudo -e. The second condition is that users must specify an editor that relies on “--” arguments to determine the list of files to edit. Once these two conditions are met, injecting an additional “--" argument in one of the authorized environment variables can alter the list of files being edited. This leads to privilege escalation.
This vulnerable configuration exists because an administrator wanted to grant more granular permissions to users. BeyondTrust Privilege Management for Mac is an enterprise product that enables granular control over user and endpoint privileges for the macOS. Had an administrator used our product instead of configuring a custom sudoers policy, they never would have exposed themselves to this vulnerability (CVE-2023-22809) in the first place.
What is sudo?
In macOS, sudo (short for “super user do”) allows users to run commands that require elevated privileges to perform. An example might be to install updates, or to move a file to a protected directory.
What does a sudoers policy file that can be exploited look like?
A vulnerable sudoers policy file would contain a few lines that looks something like this:
# CVE-2023-22809
Cmnd_Alias SUDOEDIT = sudoedit /etc/privilegedtxt.txt
tester ALL = (ALL:ALL) SUDOEDIT
Note that on macOS systems, sudo -e is used instead of sudoedit found on other systems, but within the sudoers file syntax, sudoedit is still used.
Is CVE-2023-22809 being exploited in the wild?
There are currently no known exploits of this vulnerability in the wild. However, not all systems that use sudo have the patch available to them. macOS’ latest version (13.2.1 Ventura) is currently running sudo version 1.9.5p2. This is behind version 1.9.12p2, the patched version of sudo for this vulnerability. Since sudo is a protected part of the macOS system, only Apple can issue a patch for macOS. This means that any macOS system with a vulnerable policy configuration can be exploited.
How does BeyondTrust’s Privilege Management for Mac mitigate CVE-2023-22809?
BeyondTrust Privilege Management for Mac (PMfM) pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Our solution offers protection against CVE-2023-22809 in two different ways:
1. Eliminates the need to modify the sudoers policy file
Privilege Management for Mac provides an easy to use interface for generating policies that allows IT and security teams to manage their macOS end-user privileges on a granular level—without modifying sudoers policy files. This saves IT and security analysts the headache of learning sudoers policy syntax and testing deployments.
2. Provides a patched version of the sudoers plugin to prevent exploitation on an otherwise vulnerable system
As of version 23.1, the BeyondTrust Privilege Management for Mac solution uses sudo version 1.9.12p2 to build its plugin. When using our solution in a configuration where the sudo action is not set to “Passive”, the plugin will take over command line processing and prevent exploitation. Note that if your BeyondTrust policy is set for sudo actions to be “Passive”, then the default sudo on the system will be used. This allows exploitation, if the system has a vulnerable version of sudo installed. As of the time of writing, the most up-to-date version available for macOS is sudo version 1.9.5p2, which is vulnerable to CVE-2023-22809.
Blocking CVE-2023-22809 - An Example Using Privilege Management for Mac
First, here is what CVE-2023-22809 being exploited on macOS looks like. On this system, a standard user named “tester” has the sudoers policy file configuration shown in the vulnerable policy example previously discussed.
As seen above, the exploit allows an attacker to be able to edit sensitive system files, such as /etc/passwd when they should only be allowed to edit /etc/privilegedtxt.txt by the sudoers policy.
For further details on how this vulnerability works, please refer to Synactiv’s original advisory:
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
On a system where Privilege Management for Mac 23.1 is installed, and the exploit is used, we see a different behavior:
The above screenshot shows the fix from sudo version 1.9.12p2 in effect. That patch specifically checks that the user’s editor does not contain a “--” argument.
Enhancing your macOS Security with BeyondTrust - Learn more
Using BeyondTrustPrivilege Management for Mac can enhance your macOS security. As evidenced by CVE-2023-22809, BeyondTrust is committed to providing best-in-class security to protect our users. Our vigilant monitoring of the threats that face our customers allows us to create products that keep them safe from cyber threats, while empowering a modern, work-from-anywhere workforce.
Contact us to learn more.
Steven McKinnon, Senior Application Security Engineer
Steven McKinnon is a Senior Application Security Engineer at BeyondTrust. Steven has been with BeyondTrust for over 6 years, bringing a passion for security to help build secure software.
