A vulnerability in Sudo, a core command utility for Linux, could allow a user to execute commands as a root user even if that root access has been specifically disallowed.
Sudo is a utility that allows a system administrator to give certain users (or groups of users) the ability to run commands in the context of any other user – including as root – without having to log in with a different profile. Sudo also logs all commands and arguments in a centralized audit trail system, so admins know which user performed which command and in which context. Admins can also specifically disallow root access for certain users, as a security policy. So, for instance, user Alice might have the ability to oversee the files and work of her department, but she doesn’t have superuser privileges.
The bug (CVE-2019-14287) allows attackers to circumvent this built-in security option to block root access for specified users.
Red Hat, which rated the flaw with a 7.8 severity score out of 10 on the CvSS scale, explained in a posting Monday that “a flaw was found in the way Sudo implemented running commands with arbitrary user ID. If a Sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.”
The vulnerability, which was discovered by Joe Vennix of Apple Information Security, can be exploited by merely specifying the user ID of the person executing commands to be “-1” or “4294967295.” Thanks to the bug, both of these user IDs automatically resolve to the value “0”, which is the user ID for root access. Since Sudo doesn’t require a password to run commands in the context of another user, the exploitation level of difficulty is low, according to Red Hat.
Linux distributions that contain the “ALL” keyword in the RunAs specification in the /etc/sudoers configuration file are affected. The ALL keyword allows all users in a specific group to run any command as any valid user on the system and is usually present in default configurations of Linux, according to Red Hat.
“This can be used by a user with sufficient Sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification,” according to the Sudo project, in a posting on Monday.
Sudo patched the vulnerability with the release of version 1.8.28, which Linux distributions will now need to roll out to their users.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.