Skip to main content

Major security flaw left all Linux devices at risk

(Image credit: Shutterstock.com / Nicescene)

A major security vulnerability has been discovered in the Linux operating system that could have left millions of devices at risk.

The flaw concerned a tweak to the Sudo utility which could allow any user to run commands as root. Ordinarily, in order to execute a Sudo (super user do) command, a user would either have to have been granted the relevant permissions, or would need to know the password for root. But in some – admittedly non-standard – configurations it is possible for users without these rights or knowledge to execute potentially dangerous commands as root.

While the consequences of this could be catastrophic, the good news is that the problem doesn't affect most Linux users.

Although clearly an issue, in order to be vulnerable to this Sudo flaw, a system would have to be set up in a way that allows users to execute commands as any user other than root. While this scenario would imply that executing commands as root was explicitly forbidden, the flaw – which has been assigned CVE-2019-14287 – is such that it is incredibly easy to bypass the restriction.

What you should do

Exploiting the vulnerability is a simple matter of opting to run a command as user -1 or 4294967295. The addition of the parameters -u#-1 or -u#4294967295 to the Sudo command is all it takes to gain the extra privileges of root.

As explained on sudo.ws: "This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. Log entries for commands run this way will list the target user as 4294967295 instead of root."

The flaw was discovered by Apple security researcher Joe Vennix, and has been fixed in Sudo 1.8.28. Users are encouraged to ensure that they are updated to this version; popular distributions should include the updated version of the tool in due course.

Via The Hacker News