CVE-2018-20052

Name of the Vulnerable Software and Affected Versions Cerner Connectivity Engine (CCE) version 4

Description An issue was discovered where the user running the main CCE firmware has NOPASSWD sudo privileges to several utilities, which could be used to escalate privileges to root. For example, the command "sudo ln -s /tmp/script /etc/cron.hourly/script" could be utilized.

Recommendations For Cerner Connectivity Engine (CCE) version 4, restrict the sudo privileges of the user running the main CCE firmware to prevent escalation to root. As a temporary workaround, consider disabling the use of sudo for the affected utilities until a more permanent solution is implemented.