[Labs-announce] sudo vulnerability in toollabs

Andrew Bogott abogott at wikimedia.org
Mon Feb 22 03:46:01 UTC 2016

- tl;dr

     We discovered a serious security vulnerability on toollabs.  The 
vulnerability is now closed, and there’s no evidence that it was 
exploited.  Nevertheless if you have private passwords stored on a 
toollabs host, change them!

- Rambling explanation

     Earlier today it was pointed out to me that sudo policies within 
Toollabs were overly permissive -- any user with a tools login was able 
to sudo and potentially change their identity to root or to another 
user.  I've identified the cause of the vulnerability (my fault!) and 
closed it; the incorrect policies were in effect from February 12th 
until earlier today.
     We have already investigated the 'to root' scenario and confirmed 
that it's unlikely that any labs nodes are compromised -- even the 
bastion-01 case is unlikely, but best to err on the side of caution.
     I have not yet audited the 'user becoming a different user' case -- 
that will be a big job and will most likely take much of the day 
tomorrow.  Even if the audit turns up nothing, though, it's technically 
possible that someone might have snooped and later covered their tracks. 
  Given that, I recommend rotation of any passwords that provide access 
to sensitive data.

- What about other labs projects?

     Most labs projects have permissive sudo policies by default.  A few 
have locked down policies, and those projects have been closely checked. 
  Nonetheless, for completeness here are projects that were temporarily 
less secure:  'catgraph', 'translatesvg', 'toolsbeta', 'jawiki', 
'wmve-techteam', 'utrs', 'wmt', 'bastion', 'project-proxy', 
'mediawiki-verp', 'glam', 'wlmjudging', 'tools', 
     Note that this vulnerability did not allow any user to access hosts 
they were not authorized to -- project membership was properly enforced.

     Sorry for the inconvenience!


More information about the Labs-announce mailing list