The team responsible for sudo, a popular Linux command-line tool, published a new security alert under CVE-2019-14287. It has a high CVSS score of 8.8, and Vulcan Cyber’s threat intel has found it to be exploitable. This would result in it posing a high-to-critical risk in most environments.
Suggested remediation measures
In order to remediate this vulnerability, you can deploy the patch provided by the vendor or make sure your sudo version is not prior to 1.8.28. Alternatively, there is a configuration check available:
- This vulnerability only affects configurations of sudo that have a runas user list that includes an exclusion of root. The simplest example is:
|someuser ALL=(ALL, !root) /usr/bin/somecommand|
- The exclusion is specified using an exclamation mark (!). In this example, the “root” user is specified by name. The root user may also be identified in other ways, such as by user id:
someuser ALL=(ALL, !#0) /usr/bin/somecommand
- Or by reference to a runas alias:
Runas_Alias MYGROUP = root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
- To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d
(from Red Hat)
- Alternatively, you can see if you are affected by running these commands:
- cat /etc/sudoers | grep “(s*ALLs*,s*!roots*)”
- cat /etc/sudoers | grep “(s*ALLs*,s*!#0s*)”
About the vulnerability
The security flaw could enable a malicious user to execute arbitrary commands as root user even in cases where the root access is disallowed. Considering how widespread sudo usage is among Linux users, it’s no surprise that everybody’s talking about the security vulnerability.
If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:
|myhost bob = (ALL, !root) /usr/bin/vi|
User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running “sudo-u#-1 vi”, violating the security policy.
Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:
|myhost alice = /usr/bin/id|
In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.