A vulnerability has been discovered in the sudo utility of Linux operating systems. The vulnerability allows users to run sudo commands in some cases, even if they do not have permission to do so. Most installations are not affected by the error.
The vulnerability, labeled CVE-2019-14287, was disclosed on the sudo-utility website and was found by Joe Vennix of Apple Information Security. For example, in everyday use, sudo is used to perform updates, install and uninstall programs. However, the capabilities of this command go much further.
Sudo allows Linux users to run certain commands in the terminal with superuser privileges. This allows users to access the root level of a Linux installation, giving them access to all operating system files and commands. Users with root access have absolute control over the system.
The sudo commands that can be used are in a file called ‘sudoers’. This file also indicates which users have sudo rights. The bug allows users to circumvent these restrictions in some cases by specifying their user id in the terminal as ‘-1’ or ‘4294967295’. Sudo automatically converts these usernames to ‘0’, which is the default user id of the root user. In this way, users with insufficient rights can still access the root of a system.
This error only works if users have permission to execute commands on behalf of other users. This must be specifically put in a sudoers file. The vulnerability can really only be exploited if a system owner has specifically set a sudoers statement for a command that can execute other commands, for example ‘vim’.
For example, the sudoer might say ‘myhost Bob = (ALL, !root) /usr/bin/vim’. In this case, user Bob may use vim as all users except the root user. Using the vulnerability does allow Bob to use vim as the root user. This allows him to run a root shell, after which he can use all possible commands with root access on the affected system. He now has complete control over the system. Before the vulnerability can be exploited, the user must first have permission to use the vim command on behalf of other users. This must be specifically put in a sudoers file by the root user. Exploitation of this vulnerability is therefore almost impossible on a standard installation, as these kinds of permissions are not set by default in most Linux distributions.
The security flaw has been fixed in sudo version 1.8.28, which was released this week and will soon be implemented in many Linux distributions. The team behind Ubuntu has already provided the update to users. In a security note, Canonical explains how Ubuntu users can update the sudo version. The update was also recently released for Arch Linux users.