Impact

Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration, which allows the administrative user to obtain root access without using the sudo password by editing and executing /home/<user>/SecurityOnion/setup/so-setup. This only applies to installations performed using the Security Onion ISO image. Network installations built on top of standard CentOS/Ubuntu ISO images are not affected.

Patches

This issue has been resolved in Security Onion 2.3.10. Starting in 2.3.10, new installations will automatically remove the entry from /etc/sudoers. Older installations running soup to update will be prompted to run visudo and remove the extra entry from /etc/sudoers.

Workarounds

Affected users can run sudo visudo and remove the extra entry from /etc/sudoers.

References

https://blog.securityonion.net/2020/11/security-onion-2310-now-available.html
https://s1gh.sh/cve-2020-27985-security-onion-local-privilege-escalation/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27985

For more information

If you have any questions or comments about this advisory:

• Open a public discussion at https://securityonion.net/discuss
• Our responsible disclosure process can be found at https://docs.securityonion.net/en/2.3/security.html

Thanks

Thanks to Tommy Ingdal for responsibly disclosing this issue per our responsible disclosure process at https://docs.securityonion.net/en/2.3/security.html.