sudo flaw allows any users to run commands as Root on Linux

Experts discovered a security policy bypass issue in the Sudo utility that is installed as a command on almost every Linux and Unix system.

The Sudo utility that is installed as a command on almost every Linux and Unix system is affected by a security policy bypass issue tracked as CVE-2019-14287.

The vulnerability could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “sudoers configuration” disallows the root access.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

“When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.” reads the security advisory.

“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.”

Unlike the su command, users must, by default, supply their password for authentication, rather than the password of the target user. Once authenticated, and if the configuration file (/etc/sudoers) permits the user access, the system will invoke the requested command. 

Administrators can configure a sudoers file to define which users are allowed to run a list of commands as to specific users.

Now, due to the CVE-2019-14287 flaw, even is a user is not allowed to run a specific command as root it is possible to bypass the restriction

An attacker could exploit the vulnerability to run commands as root just by specifying the user ID “-1” or “4294967295.” This is possible because the function that converts user id into its username incorrectly handles the ‘-1’ value, or its unsigned equivalent 4294967295, and interprets it as 0, which is always associated with user ID of root user.

“Fixed CVE-2019-14287, a bug where a sudo user may be able to + run a command as root when the Runas specification explicitly + disallows root access as long as the ALL keyword is listed first.” states the advisory.

So, even if a user has been restricted to run a specific, or any, command as root, the vulnerability could allow the user to bypass this security policy and completely take over the system.

“Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.” continues the advisory.

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.”

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:”

    myhost bob = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.”

The CVE-2019-14287 vulnerability was discovered by Joe Vennix of Apple Information Security, it affects Sudo versions prior to 1.8.28.

Linux users urge to update sudo package to the latest version as soon as it is available.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Linux, Sudo)

[adrotate banner=”5″]

[adrotate banner=”13″]