Security researchers have discovered a bug in Sudo that enables hackers to execute commands as root on a Linux system when the "sudoers configuration" explicitly disallows the root access.
Sudo is a powerful utility that is installed on virtually every Unix and Linux system; it enables certain users or groups to execute commands in the context of any other user – including as root – without having to log in as a different user.
Exploiting the vulnerability requires the user to have Sudo privileges that allow them to run commands with an arbitrary user ID, except root. This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database.
According to a security advisory by Red Hat, the flaw enables a user to run a command as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does not allow user to run other commands that those specified in the sudoers configuration.
The vulnerability was discovered by Joe Vennix of Apple Information Security. According to another alert, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
"This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification," said the alert.
"Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command."
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier.
The Red Hat advisory said that to ensure sudoers configuration is not affected by this vulnerability, "we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d."
Sudo patched the vulnerability with the release of version 1.8.28.
"Fortunately, this vulnerability ended up getting overblown," Paul Ducklin, senior technologist at Sophos, told SC Media UK.
"Because the configuration settings needed to make it exploitable were unlikely to be seen in any well-managed network. Simply put, you would have to authorise a user to impersonate ALL accounts on the system - except for one or more specifically named accounts, including root.
"That's a pretty insecure way to grant limited powers in the first place, and no one I know does it that way. Having said that, the 'teachable moment' here is the reminder that complexity is the enemy of security. This bug wasn't a hole in the underlying principle and mechanism of 'user switching' in Linux - it was a flaw in sudo's processing of its complex configuration files. Indeed, the complexity of sudo - which has far more features than most users need or will ever use - is why the security-conscious OpenBSD team replaced it some years ago with a simpler, safer utility called 'doas' that is much harder to configure wrongly. Nevertheless, if you're on Linux, get the sudo patch. Because you can," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout