Researchers have discovered a security vulnerability in the Linux SUDO command that threatens numerous Linux servers. The flaw could allow arbitrary users to run commands as root on target devices.
Linux SUDO Vulnerability Discovered
A researcher from Apple Information Security, Joe Vennix, discovered a security flaw targeting Linux servers. The vulnerability primarily existed in the Linux SUDO command, allowing low privileged users to run commands as root.
Essentially, the SUDO command (superuser do) allows underprivileged users to run root commands on a Linux device. SUDO, however, only allows this privilege when configured to do so, or when the underprivileged user knows the root password. SUDO also allows a user to run commands as another user when configured accordingly.
Due to the bug, SUDO functioned abnormally, allowing anyone to bypass the check. Thus, even when the configuration disallowed underprivileged users to run root commands, SUDO would let them bypass with UID -1 or 4294967295.
According to the description in the security advisory,
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.
The advisory also details the exploit for the vulnerability CVE-2019-14287.
Patch Rolled Out
Fortunately many Linux servers remain unaffected. This is because the vulnerability mainly works for non-standard configurations allowing arbitrary user IDs.
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.
Since this isn’t the default configuration, most Linux users remain unaffected from the flaw.
Nonetheless, for those with the vulnerable configuration, the flaw affects Sudo versions prior to 1.8.28. Thus, upgrading systems to sudo 1.8.28 is essential to stay protected from the risk of exploit.