close
Written by Anthony Carballo
on October 17, 2019

A vulnerability has been identified in Sudo, a program for Unix computer operating systems that allows users to run programs with the security privileges of another user, by default, the superuser.

This vulnerability would allow anyone to run commands as root even if they don't have root privileges, accomplishing it by doing a bypass, allowing a malicious user or a program to execute arbitrary commands with root rights on a targeted Linux system.

The bug requires a system to have a modified configuration. In other words, Linux computers are not vulnerable by default.

 

TTPs

When Sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a RunAs specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient Sudo privileges to run commands as root even if the RunAs specification explicitly disallows root access as long as the ALL keyword is listed first in the RunAs specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. Also, PAM session modules will not be run for the command.

 

CVEs

This vulnerability is tracked under:

CVE-2019-11184

 

Vulnerable Versions

Sudo versions before 1.8.28 are affected.

 

Conclusions

This vulnerability was discovered by Joe Vennix, at Apple Information Security, this flaw is more concerning because the Sudo utility has been designed to let users use their login password to execute commands as a different user without requiring the other user's password.

What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user ID into its username incorrectly treats -1, or its unsigned equivalent 4294967295, like 0, which is always the user ID of the root user.

The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released.

 

Advice

There is no best mitigation other than updating it; if you currently have Sudo installed on your workstations, update it now to ensure that you don't fall prey to this vulnerability.

TTPs: Tactics, techniques and procedures

CVEs: Common Vulnerabilities and Exposures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Vulnerability Threat report

CryptoAPI Spoofing Vulnerability, Windows flaw discovered by the NSA

Microsoft released patches addressing 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the ...

Vulnerability Threat report

Linux bug – Adversaries can hijack your VPN connection

Security testers from the University of New Mexico discovered a vulnerability, tracked as CVE-2019-14899, that can be ex...

Vulnerability

Dexphot - Why Your Antivirus Isn't Enough.

Security researchers at Microsoft have been tracking a new strain of cryptocurrency miner, they named it Dexphot, based ...