[Labs-announce] sudo vulnerability in toollabs
abogott at wikimedia.org
Mon Feb 22 03:46:01 UTC 2016
We discovered a serious security vulnerability on toollabs. The
vulnerability is now closed, and there’s no evidence that it was
exploited. Nevertheless if you have private passwords stored on a
toollabs host, change them!
- Rambling explanation
Earlier today it was pointed out to me that sudo policies within
Toollabs were overly permissive -- any user with a tools login was able
to sudo and potentially change their identity to root or to another
user. I've identified the cause of the vulnerability (my fault!) and
closed it; the incorrect policies were in effect from February 12th
until earlier today.
We have already investigated the 'to root' scenario and confirmed
that it's unlikely that any labs nodes are compromised -- even the
bastion-01 case is unlikely, but best to err on the side of caution.
I have not yet audited the 'user becoming a different user' case --
that will be a big job and will most likely take much of the day
tomorrow. Even if the audit turns up nothing, though, it's technically
possible that someone might have snooped and later covered their tracks.
Given that, I recommend rotation of any passwords that provide access
to sensitive data.
- What about other labs projects?
Most labs projects have permissive sudo policies by default. A few
have locked down policies, and those projects have been closely checked.
Nonetheless, for completeness here are projects that were temporarily
less secure: 'catgraph', 'translatesvg', 'toolsbeta', 'jawiki',
'wmve-techteam', 'utrs', 'wmt', 'bastion', 'project-proxy',
'mediawiki-verp', 'glam', 'wlmjudging', 'tools',
Note that this vulnerability did not allow any user to access hosts
they were not authorized to -- project membership was properly enforced.
Sorry for the inconvenience!
More information about the Labs-announce