By: Daniel Elkabes, Lead Security Researcher
Over the past few days, news of CVE-2019-14287 — a newly discovered open source vulnerability in Sudo, Linux’s popular command tool has been grabbing quite a few headlines. Since vulnerabilities in widespread and established open source projects can often cause a stir, we decided to present you with a quick cheat sheet to let you know exactly what the fuss is about.
Here is everything you need to know about the Sudo vulnerability, how it works, and how to handle the vulnerable Sudo component, if you find that you are currently at risk.
Let’s start with the basics. Sudo is a program dedicated to the Linux operating system, or any other Unix-like operating system, and is used to delegate privileges. For example, it can be used by a local user who wants to run commands as root — the windows equivalent of admin user.
On October 14, the Sudo team published a security alert about CVE-2019-14287, a new security issue discovered by Joe Vennix of Apple Information Security, in all Sudo versions prior to version 1.8.28. The security flaw could enable a malicious user to execute arbitrary commands as root user even in cases where the root access is disallowed.
Considering how widespread Sudo usage is among Linux users, it’s no surprise that everybody’s talking about the security vulnerability.
That’s the scary version, and when we think about how powerful and popular Sudo is, CVE-2019-14287 should not be ignored. That said, it’s also important to note that the vulnerability is relevant in a specific configuration in the Sudo security policy, called “sudoers”, which helps ensure that privileges are limited only to specific users.
The issue occurs when a sysadmin inserts an entry into the sudoers file, for example:
jacob myhost = (ALL, !root) /usr/bin/chmod
This entry means that user jacob is allowed to run “chmod” as any user except the root user, meaning a security policy is in place in order to limit access — sounds good, right?
Unfortunately, Joe Vennix from Apple Information Security found that the function fails to parse all values correctly and when giving the parameter user id “-1” or its unsigned number “4294967295”, the command will run as root, bypassing the security policy entry we set in the example above.
In the example below, when we run the “-1” user ID, we get the id number “0” which is the root user value:
And now for some good news: the Sudo team has already released a secure version, so If you are using this particular security configuration, make sure to update to version 1.8.28 or over. In addition, as you can see, the Sudo vulnerability only occurs in a very specific configuration.
As is often the case when newly disclosed security vulnerabilities in popular open source projects make a splash, there’s no need to panic. While Sudo is an extremely popular and widely used project, the vulnerability is only relevant in a specific scenario, and it has already been fixed in the updated version.
Our best advice is to keep calm, and make sure you update your open source software components.