CVE-2022-29527: 
AWS Systems Manager Agent (SSM) vulnerability analysis and mitigation

Amazon AWS amazon-ssm-agent before version 3.1.1208.0 contained a vulnerability that created a world-writable sudoers file, which could allow local attackers to inject Sudo rules and escalate privileges to root. The vulnerability (CVE-2022-29527) was discovered by Matthias Gerstner from SUSE and was disclosed on April 20, 2022. The issue occurred in certain situations involving a race condition where the sudoers file was temporarily created with world-writable permissions (0666) before being changed to the correct permissions (SUSE Bugzilla, NVD).

The vulnerability existed in the agent/session/utility/utility_unix.go file of the amazon-ssm-agent. During the creation of the sudoers file, the code used os.Create() which created the file with default permissions (0666), making it world-writable. Although the code later changed the permissions to 0440, there was a window of opportunity where the file was writable by all users. The issue was particularly concerning on systems where /etc/sudoers.d was world-readable, such as Debian Linux with 755 permissions (SUSE Bugzilla).

The vulnerability could allow local attackers to inject Sudo rules during the window when the sudoers file was world-writable, potentially leading to privilege escalation to root. The impact was most severe on systems where the /etc/sudoers.d directory was world-readable (CloudVulnDB).

The vulnerability was fixed in amazon-ssm-agent version 3.1.1208.0. The fix changed the file creation process to use os.OpenFile with specific permissions (0640) instead of os.Create with default permissions. Users should upgrade to version 3.1.1208.0 or later to address this vulnerability (GitHub Commit, GitHub Release).