close
Written by Anthony Carballo
on October 17, 2019

A vulnerability has been identified in Sudo, a program for Unix computer operating systems that allows users to run programs with the security privileges of another user, by default, the superuser.

This vulnerability would allow anyone to run commands as root even if they don't have root privileges, accomplishing it by doing a bypass, allowing a malicious user or a program to execute arbitrary commands with root rights on a targeted Linux system.

The bug requires a system to have a modified configuration. In other words, Linux computers are not vulnerable by default.

 

TTPs

When Sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a RunAs specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient Sudo privileges to run commands as root even if the RunAs specification explicitly disallows root access as long as the ALL keyword is listed first in the RunAs specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. Also, PAM session modules will not be run for the command.

 

CVEs

This vulnerability is tracked under:

CVE-2019-11184

 

Vulnerable Versions

Sudo versions before 1.8.28 are affected.

 

Conclusions

This vulnerability was discovered by Joe Vennix, at Apple Information Security, this flaw is more concerning because the Sudo utility has been designed to let users use their login password to execute commands as a different user without requiring the other user's password.

What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user ID into its username incorrectly treats -1, or its unsigned equivalent 4294967295, like 0, which is always the user ID of the root user.

The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released.

 

Advice

There is no best mitigation other than updating it; if you currently have Sudo installed on your workstations, update it now to ensure that you don't fall prey to this vulnerability.

TTPs: Tactics, techniques and procedures

CVEs: Common Vulnerabilities and Exposures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

Analísis de la necesidad de registrar eventos de PowerShell.

Amedida que continuamos desarrollando CyberEasy, nuestro equipo de ingeniería agregó muchas características para habilit...

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

The need for PowerShell logging and further analysis.

As we continue to develop CyberEasy, our engineering team added a lot of features for enabling, collecting and analyzing...

Phishing Vulnerability

COVID-19 y estafas

COVID-19 es uno de los temas más importantes en todo el mundo en este momento, y los ciberdelincuentes se están aprovech...