CVE-2022-29527
Description
Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. This occurs in certain situations involving a race condition.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Amazon SSM Agent before 3.1.1208.0 creates a world-writable sudoers file, allowing local attackers to inject Sudo rules and escalate privileges via a race condition.
Vulnerability
In Amazon AWS amazon-ssm-agent versions before 3.1.1208.0, the createSudoersFileIfNotPresent function in agent/session/utility/utility_unix.go creates the sudoers file /etc/sudoers.d/ssm-agent-users using os.Create(), which sets the file mode to 0666 (world-writable) before a subsequent chmod to 0440 [1][2]. This creates a race window during which a local attacker can modify the file. The vulnerability occurs when the sudoers file does not already exist at the time of agent startup [1].
Exploitation
A local attacker must time their write operation to the sudoers file between its creation via os.Create() and the call to os.Chmod() that restricts permissions [1]. No authentication beyond local system access is required; the attacker simply needs to write malicious Sudo rules into the file during the race window. The attacker must be able to run code on the same machine as the agent [1][2].
Impact
Successful exploitation allows a local attacker to inject arbitrary Sudo rules, granting themselves passwordless root privileges on the system. The attacker can then execute any command with elevated privileges, leading to full compromise of the host [1].
Mitigation
The fix was released in version 3.1.1208.0 on 2022-04-04 [3]. The commit changes the file creation to use os.OpenFile with mode 0640 instead of 0666, eliminating the race condition by never creating a world-writable file [2]. Users should update to version 3.1.1208.0 or later. No workaround other than updating is documented.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- Amazon AWS/amazon-ssm-agentdescription
- Range: <3.1.1208.0
- osv-coords8 versionspkg:rpm/opensuse/amazon-ssm-agent&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/amazon-ssm-agent&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/amazon-ssm-agent&distro=openSUSE%20Tumbleweedpkg:rpm/suse/amazon-ssm-agent&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/amazon-ssm-agent&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015pkg:rpm/suse/amazon-ssm-agent&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP1pkg:rpm/suse/amazon-ssm-agent&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2pkg:rpm/suse/amazon-ssm-agent&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3
< 3.1.1260.0-150000.5.9.2+ 7 more
- (no CPE)range: < 3.1.1260.0-150000.5.9.2
- (no CPE)range: < 3.1.1260.0-150000.5.9.2
- (no CPE)range: < 3.1.1260.0-1.1
- (no CPE)range: < 3.1.1260.0-4.27.2
- (no CPE)range: < 3.1.1260.0-150000.5.9.2
- (no CPE)range: < 3.1.1260.0-150000.5.9.2
- (no CPE)range: < 3.1.1260.0-150000.5.9.2
- (no CPE)range: < 3.1.1260.0-150000.5.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- bugzilla.suse.com/show_bug.cgimitrex_refsource_MISC
- github.com/aws/amazon-ssm-agent/commit/0fe8ae99b2ff25649c7b86d3bc05fc037400aca7mitrex_refsource_MISC
- github.com/aws/amazon-ssm-agent/releases/tag/3.1.1208.0mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.