Linux: Bug in sudo allows forbidden commands as root

[German]There is an implementation bug in older versions of the Linux command sudo. This allows commands to be executed as root, even if this is not allowed for a user. In the meantime there is an update which fixes the bug.


Advertising

What is sudo?

The name is the abbreviation for su ‘do’ so super user go ahead. The command sudo can be prefixed to other commands to execute them with the permissions of the root user. You can also permanently assign the permissions of another user with switches. The effect is comparable to the Run as under Windows. Wikipedia has some additional information.

Sudo vulnerability CVE-2019-14287

The vulnerability CVE-2019-14287 is documented on sudo.ws in this article. The problem: If sudo is configured in a way that a user can execute commands as ‘any user’ using the ALL keyword in a Runas specification, it is possible to execute commands as root by specifying the user ID -1 or 4294967295.

Normally, this is actually the aim of the sudo command. But there are environments where this is prohibited for individual users by policy restrictions. Such a user with sufficient privileges can use sudo to still execute commands as root, even if the Runas specification explicitly prohibits root access. To do this, the ALL keyword must first be listed in the Runas specification.

Log entries for commands executed this way list the target user as 4294967295 instead of root. In addition, the command does not run PAM session modules. Affected by this bug are all sudo versions before 1.8.28. The bug has been fixed in sudo versions 1.8.28.

Joe Vennix of Apple Information Security has found and analyzed the bug. An article on The Hacker News provides some additional explanations.


Advertising


Advertising
This entry was posted in Linux, Security and tagged , . Bookmark the permalink.

1 Response to Linux: Bug in sudo allows forbidden commands as root

  1. Brian says:

    CVE-2019-14287 is the correct ID, you truncated.

Leave a Reply

Your email address will not be published. Required fields are marked *