remctl 2018-04-01 Advisory

Vulnerability type: Use after free, double free
Versions affected: 3.12 and 3.13
Versions fixed: 3.14 and later
Reported: 2018-03-30
Public announcement: 2018-04-01
CVE IDs: CVE-2018-0493

Santosh Ananthakrishnan discovered incorrect memory management in the remctld and remctl-shell servers when handling commands with the sudo configuration option. For remctld, it may be possible (although appears to be difficult) for a client to execute arbitrary commands on the server. To exploit this vulnerability, the client must have access to run a command that uses the sudo configuration option. The client would then need to run the command using sudo multiple times in a single connection using keep-alive.

I'm not aware of any exploits in the wild. remctl-shell is not affected, only remctld.

This problem has been fixed in remctl 3.14, available from:

https://www.eyrie.org/~eagle/software/remctl/

It has also been fixed in Debian stable (stretch) in the 3.13-1+deb9u1 package version, and in Debian unstable in the 3.14-1 package version. Only the remctl-server package is affected. This bug is not present in older Debian releases.

My apologies for this memory management error. It's an obvious error in context and was probably left over from a code refactoring when developing the sudo feature. I hope to include better automated memory management testing in the next release of remctl after 3.14.

Last spun 2022-02-06 from thread modified 2018-04-01