They discover a vulnerability in Sudo that allows unauthorized users to act as root

Recently se has discovered a vulnerability in Sudo, what allows you to bypass the security policy on Linux-based distributions whereby could allow a user to run commands as root user, even if that root access was not specifically allowed. This critical flaw was discovered by Joe Vennix of Apple Information Security.

This vulnerability has already been fixed and the patch prevents potentially serious consequences within Linux systems. However, Sudo's vulnerability posed a threat only to a narrow segment Linux users, according to Todd Miller, software developer and senior engineer at Quest Software and maintainer of the open source project "Sudo."

«Most of the Sudo settings are not affected by the bug. Non-business home users are unlikely to be affected at all »

By default on most Linux distributions, the ALL keyword in the RunAs specification in the / etc / sudoers file allows users of the admin or sudo groups to run any command on the system.

However, because the separation of privileges is one of the fundamental security paradigms in Linux, administrators can configure a sudoers file to define exactly who is allowed to do what (run a particular command).

The new vulnerability CVE-2019-14287. Give privileged user or malicious program enough the ability to perform actions or execute arbitrary code as root (or superuser) on a target system, when the "sudoers configuration" does not allow this access.

An attacker can exploit this vulnerability by specifying the ID "-1" or "429496967295" because the function responsible for converting ID to username treats these two values ​​precisely as '0', which corresponds to the 'superuser' ID.

Suppose you have configured an "X" user as sudoer on the mybox server to execute a command like any other user, except root: »X mybox = (ALL,! Root) / usr / bin / command".

You can trust X to monitor the files and activities of other users, but they don't have superuser access.

This should allow user "X" to execute a command like anyone other than root. However, if X executes "sudo -u # -1 id -u" or "-u # 429496967295 id -u", you can bypass the constraint and run the command of your choice as root for X.

Also, since the ID specified through the -u option does not exist in the password database, no X session modules will run.

This vulnerability only affects sudo configurations that have a "Runes" user list, including excluding root. Root can also be identified by other means: by its name ID with "user ALL = (ALL,! # 0) / usr / bin / command", or by reference to a Runas alias.

Therefore, in a specific scenario where you have been allowed to run a commandLike any other user except root, the vulnerability can still allow you to bypass this security policy and take full control of the system as root.

The vulnerability affects all versions of Sudo prior to the latest version 1.8.28 which was recently released and will be rolling out as an update for the various Linux distributions soon.

Since the attack works on a specific use case of the sudoers configuration file, it should not affect a large number of users.

However, For all Linux users, it is recommended that they update the sudo package to the latest version as soon as possible.

Since the developers released the patch for Sudo several days ago. However, because it must be packaged for each Linux distribution and distributed across the hundreds of Linux communities that maintain Linux operating systems, this package may take a few days longer for some distributions.

If you want to know more about it you can consult the following link.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.