Sudo is a powerful and popular command-line tool that is installed on nearly every UNIX-like and Linux-based operating system. The open source tool lets system administrators set security policies that allow certain users to execute commands as the superuser (root user) or another user. The system access rights are configured in a file called sudoers. Affected versions of this utility allow a user to circumvent the Sudo policy restrictions and execute arbitrary commands as the root user, even in situations when root access is not permitted.
The CVE-2019-14287 vulnerability occurs when the sudoers configuration entry permits a user or a program to run a command as any other user, except the root. Here is a sudoers entry example: certainuser myhost = (ALL, !root) /usr/bin/resources The above specification implies that the user called “certainuser” can execute the “resources” command as any other user, excluding the root. The exclamation mark (!) is what denotes the exclusion. Apart from referring to the “root” user by name, they may also be identified using other methods, such as by user id: certainuser myhost = (ALL, !#0) /usr/bin/resources While the above entry implies that a security policy has been established to limit access, a malicious user could bypass that restriction. If an attacker specifies the target user using a numeric id of -1, or its unsigned equivalent 4294967295, the function will fail to parse all the values properly. In such a case, it would treat the user id like 0, which denotes the id of the root user. This would allow the attacker to run the command with root privileges, circumventing the set security policy.
Sudo versions before 1.8.28
Assess every sudoers configuration entry that has the exclamation mark (!) and ensure that the root user is not among those excluded. You can get them in files under /etc/sudoers.d or in the /etc/sudoers file.
Update to Sudo version 1.8.28 or higher