A vulnerability has been identified in Sudo, a program for Unix computer operating systems that allows users to run programs with the security privileges of another user, by default, the superuser.
This vulnerability would allow anyone to run commands as root even if they don't have root privileges, accomplishing it by doing a bypass, allowing a malicious user or a program to execute arbitrary commands with root rights on a targeted Linux system.
The bug requires a system to have a modified configuration. In other words, Linux computers are not vulnerable by default.
When Sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a RunAs specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient Sudo privileges to run commands as root even if the RunAs specification explicitly disallows root access as long as the ALL keyword is listed first in the RunAs specification.
Log entries for commands run this way will list the target user as 4294967295 instead of root. Also, PAM session modules will not be run for the command.
This vulnerability is tracked under:
Sudo versions before 1.8.28 are affected.
This vulnerability was discovered by Joe Vennix, at Apple Information Security, this flaw is more concerning because the Sudo utility has been designed to let users use their login password to execute commands as a different user without requiring the other user's password.
What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user ID into its username incorrectly treats -1, or its unsigned equivalent 4294967295, like 0, which is always the user ID of the root user.
The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released.
There is no best mitigation other than updating it; if you currently have Sudo installed on your workstations, update it now to ensure that you don't fall prey to this vulnerability.
TTPs: Tactics, techniques and procedures
CVEs: Common Vulnerabilities and Exposures