Sudo Vulnerability Enables Anyone to Execute Commands as Root
- A researcher discovered a severe flaw in the sudo program, which enables root command execution by anyone.
- The trick is to use one of the two ID numbers that are wrongfully converted to zero.
- A fix will soon be ready, but most will have to install the package manually instead of waiting for the update.
Sudo is a program that allows users to execute commands with “superuser” privileges. It is a convenient tool that is to be found across almost any Linux distribution, enabling users to do things like fetching a software package and installing it, changing system settings, and performing other critical actions. For a user to be able to use “sudo”, they will need to be in the “sudoers” list, and also provide their password when they try to use the command. To enter the sudoers list, one would have to provide the admin/root password.
Obviously, finding a way to go around this process would have dire consequences for the security of a Linux system, as an unprivileged user would be able to execute commands as root. This type of vulnerability was recently discovered by Joe Vennix, a researcher of Apple Information Security. Given the identifier “CVE-2019-14287”, the flaw allows a user to execute commands as a different user (even as the root), without providing any password. According to the researcher, all that is needed is for the attacker is to specify their user ID as “-1” or as “4294967295”. This exploits a flaw in the conversion function, which essentially treats -1 and 4294967295 as “0”, and zero always belongs to the root user.
Still though, one would think that when trying to execute commands as root, the root password should still be required. However, because the user ID is specified via the -u option (sudo -u#-1) isn’t corresponding to any entry in the password database, no Pluggable Authentication Modules (PAM) will be invoked. Long story short, the attacker won’t have to provide a password in order to run any command they want.
Red Hat has assigned a CVSS v3 score of 7.8 to this privilege escalation flaw, so it is highly critical. However, an attacker would have to have local access in order to carry out this otherwise simple attack. All sudo versions from 1.8.28 and older are affected, so this includes all RHEL installations, CentOS, Ubuntu, Debian, Mint, Fedora, and many more. For users of Arch Linux and derivatives like Manjaro, you will soon receive the sudo update on your repositories. The rest would be better updating the sudo package manually, as this is a severe risk that you can’t just live with for extended periods of time.
Do you use Linux? What is your distribution of choice? Let us know in the comments below, or on our socials, on Facebook and Twitter.