Vulnerability CVE-2022-29527

Vulnerability Name:

CVE-2022-29527 (CCN-224878)

Assigned:

2022-04-20

Published:

2022-04-20

Updated:

2022-05-03

Summary:

Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. This occurs in certain situations involving a race condition.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2022-29527

Source: CCN
Type: Bugzilla - Bug 1196556
(CVE-2022-29527) VUL-0: CVE-2022-29527: amazon-ssm-agent: creates world-writable sudoers file during runtime (race condition)

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1196556

Source: XF
Type: UNKNOWN
aws-cve202229527-priv-esc(224878)

Source: CCN
Type: amazon-ssm-agent GIT Repository
Create ssm-agent-users sudoer file with constrained file permission

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/aws/amazon-ssm-agent/commit/0fe8ae99b2ff25649c7b86d3bc05fc037400aca7

Source: MISC
Type: Patch, Release Notes, Third Party Advisory
https://github.com/aws/amazon-ssm-agent/releases/tag/3.1.1208.0

Vulnerable Configuration:

Configuration 1:

cpe:/a:amazon:amazon_ssm_agent:*:*:*:*:*:*:*:* (Version < 3.1.1208.0)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:3449	P	bzip2-1.0.6-30.8.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95079	P	amazon-ssm-agent-3.1.1260.0-150000.5.9.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:93449	P	(Important)	2022-05-03
oval:org.opensuse.security:def:118379	P	Security update for amazon-ssm-agent (Important)	2022-05-03
oval:org.opensuse.security:def:1558	P	Security update for amazon-ssm-agent (Important)	2022-05-03
oval:org.opensuse.security:def:93803	P	(Important)	2022-05-03
oval:org.opensuse.security:def:466	P	Security update for amazon-ssm-agent (Important)	2022-05-03
oval:org.opensuse.security:def:94229	P	(Important)	2022-05-03
oval:org.opensuse.security:def:93131	P	(Important)	2022-05-03
oval:org.opensuse.security:def:102123	P	Security update for amazon-ssm-agent (Important) (in QA)	2022-04-26

BACK