VA: Becoming root

Hello community members,

Creating a file, let’s name it root, with the content seen in the screenshot below and executing the command sudo /usr/bin/cp -t /etc/sudoers.d/ root *.pem /etc/ssl/certs allows the user sailpoint to execute any command as root afterwards.

I guess SailPoint doesn’t see this as a problem.

In practice the virtual appliance is a single user system that user is intended to be an administrator. The assignment of a user rather than a root is intended to prevent the installation of unsupported applications.

5 Likes

Were you for example able to maybe add a custom yum repo and make queries?

@colin_mckibben @colin_mckibben take a look at this

I did add Jordan to my comment previously because this finding looks like a possible gap and would require a hot fix if need be.

Hi @pierre_mouallem, while I understand some of your arguments, I think this goes against the “defence in depth” practice, which would definitely be expected from a tool that has “Security” in its name.

I still think that the current sudoers configuration is buggy, by allowing execution of commands that are not supported.

What I am missing from your answer is: “we will carefully review the current sudoers configuration and we will tighten the security around the sudoers file, so that an escalation is not possible anymore”.

SailPoint does not support any actions taken outside of the configured, limited SUDO permissions.

Technically the commands presented are within the configured, limited sudo permissions.

2 Likes

Another argument is that with the incorrect sudoers people can look into how the CCG, VA_Agent works and even manipulate in order to exploit it and have it provision on the company target systems.

this is very worrying. And it was not the answer i was expecting to be honest.

4 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.