Critical vulnerability in Linux sudo command lets anybody be root

A recently revealed report has concerned Linux users. Vulnerability testing specialists have revealed a new security flaw in Sudo, one of the most common and important utilities and which is also included as a central command installed in almost any Linux and UNIX-based deployment.

“This security flaw is a problem of bypassing security policies in Sudo, if exploited, would allow a threat actor or malicious program to execute arbitrary commands such as root on the compromised system even if the settings of the explicitly prohibit root access,” the experts mention.

It should be remembered that Sudo (superuser do) is a system command that allows users to run applications or commands with privileges from another user without changing environments. According to vulnerability testing experts, it is commonly used to execute commands as a root user.

In most Linux distributions, the ALL keyword in the RunAs specification in the /etc/sudoers file allows any user in admin or sudo groups to execute any command like any validated user on the system. This is a default setting.

Thanks to the separation of privileges (a fundamental security feature on Linux) an administrator can configure a “sudoers” file to establish which users can execute certain commands. This vulnerability is that any user could execute a specific command as the root user, which would allow full control of the environment.

Tracked as CVE-2019-14287, this vulnerability was discovered by vulnerability testing expert Joe Vennix. In his report, he notes that this is a significant severity flaw, as the sudo utility was designed to allow users to use their own login credentials to execute commands without administrators having to provide them with a password.

Source: Joe Vennix

In addition, the expert adds that the vulnerability can be exploited by a hacker to execute remote commands as root user by simply specifying the user ID <<-1>> or <<4294967295>. “The function that converts the ID to username incorrectly treats the user ID <<-1>> or <<4294967295>. <<-1>> or <<4294967295> (their unsigned equivalent), taking them as zero, which is always the root user ID,” adds the expert.

Due to its features it is not possible for the failure to affect a large number of users, however, specialists from the International Institute of Cyber Security (IICS) recommend upgrading the sudo package to the latest version available to mitigate any risk of exploitation.