CVE-2026-52817
Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
描述
### Summary In the [Debian.sudoers](https://github.com/Linuxfabrik/monitoring-plugins/blob/main/assets/sudoers/Debian.sudoers) file, `apt-get` is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: ### PoC By choosing a particular argument, you can get (as a nagios user) a root shell: ``` sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh" ``` Since the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root. ### Impact The vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest). ### Fix Since only one place where `apt-get` is currently used (in [deb-updates](https://github.com/Linuxfabrik/monitoring-plugins/blob/998302a5fb43e89df1359f4cbb6558f81c96ae4f/check-plugins/deb-updates/deb-updates#L124)) was found, it should be enough to allow only the specific arguments used there. Here an example how the line in the sudoers file could look like: ``` /usr/lib64/nagios/plugins/strongswan-connections,\ /usr/lib64/nagios/plugins/systemd-unit,\ /usr/bin/apt-get update --quiet 2 ```
如何修補 CVE-2026-52817
要修補 CVE-2026-52817,請將受影響套件升級到下列已修補版本。
- —升級至 5.1.0 或更新版本
CVE-2026-52817 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-52817 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 5.1.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |