Sudo Bug Opens Root Access on Linux Systems
A vulnerability in the Linux sudo command has been discovered that could allow unprivileged users to execute commands as root. Thankfully, this vulnerability only works in non-standard configurations and most Linux servers are unaffected.
Before we get to the vulnerability it is important to have some background information on how the sudo command works and how it can be configured.
When executing commands on a Linux operating system, unprivileged users can use the sudo (super user do) command to execute commands as root as long as they have been given permission or know the root user's password.
The sudo command can also be configured to allow a user to run commands as another user by adding special directives to the /etc/sudoers configuration file.
The sudo vulnerability
The bug (CVE-2019-14287) allows attackers to circumvent this built-in security option to block root access for specified users.
Red Hat, which rated the flaw with a 7.8 severity score out of 10 on the CvSS scale, explained in a posting Monday that "a flaw was found in the way Sudo implemented running commands with arbitrary user ID. If a Sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction."
The vulnerability, which was discovered by Joe Vennix of Apple Information Security, can be exploited by merely specifying the user ID of the person executing commands to be "-1" or "4294967295." Thanks to the bug, both of these user IDs automatically resolve to the value "0", which is the user ID for root access. Since Sudo doesn't require a password to run commands in the context of another user, the exploitation level of difficulty is low, according to Red Hat.
Linux distributions that contain the "ALL" keyword in the RunAs specification in the /etc/sudoers configuration file are affected. The ALL keyword allows all users in a specific group to run any command as any valid user on the system and is usually present in default configurations of Linux, according to Red Hat.
"This can be used by a user with sufficient Sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification," according to the Sudo project, in a posting on Monday.
Sudo patched the vulnerability with the release of version 1.8.28, which Linux distributions will now need to roll out to their users.
You can also use these command's to updade the sudo :
# sudo apt update
# sudo apt upgrade