New Sudo Vulnerability Could Allow Attackers to Obtain Full Root Privileges

Sudo vulnerability

This post was published over 1 year ago. Please keep in mind that the information may be outdated.

The Debian Project published today a new security bulletin to inform users about a Sudo vulnerability that affects the Debian GNU/Linux 9 “Stretch” operating system series.

It would appear that there’s a vulnerability (CVE-2019-18634) in the Sudo package, a program that allows users to run programs in a UNIX system with the security privileges of another user, which could allow an unprivileged user to obtain full root privileges.

The vulnerability affects Sudo versions prior to version 1.8.26, from 1.7.1 to 1.8.25p1, but only if the pwfeedback option was set in the /etc/sudoers file by the system administrator. This could allow users to trigger a stack-based buffer overflow in the privileged sudo process.

“Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the “pwfeedback” option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges,” reads Debian DSA 4614-1.

It would appear that the pwfeedback option is enabled by default in the elementary OS and Linux Mint operating systems, but it is not enabled by default upstream. Debian GNU/Linux 9 “Stretch” systems are also affected and users are urged to update their installations as soon as possible to Sudo 1.8.19p1-2.1+deb9u2. Patches should be available shortly for other affected distributions, so make sure you update as soon as they’re available.

“Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability.”

On the other hand, users running Debian GNU/Linux 10 “Buster” are not affected by this vulnerability due to a change in EOF handling. Also, please keep in mind that if pwfeedback is not enabled in your system, you are NOT affected by this flaw. More details can be found here.

Update 03/02/20: Patches are now available for all supported Ubuntu Linux systems. Users are urged to update the sudo and sudo-ldap packages to versions 1.8.27-1ubuntu4.1 on Ubuntu 19.10, 1.8.21p2-3ubuntu1.2 on Ubuntu 18.04 LTS, and 1.8.16-0ubuntu1.9 on Ubuntu 16.04 LTS.

Patches are also available for elementary OS and Linux Mint, so update as soon as possible.

Update 19/02/20: Patches are now available for all supported Red Hat Enterprise Linux 7 systems, as well as CentOS Linux 7. More details here.

Last updated 1 year ago