Language Selection

English French German Italian Portuguese Spanish

Linux security hole: Much sudo about nothing

Filed under
Linux
Security

There's a lot of hubbub out there now about a security hole in the Unix/Linux family's sudo command. Sudo is the command, which enables normal users to run commands as if they were the root user, aka the system administrator. While this sudo security vulnerability is a real problem and needs patching, it's not nearly as bad as some people make it out to be.

At first glance the problem looks like a bad one. With it, a user who is allowed to use sudo to run commands as any other user, except root, can still use it to run root commands. For this to happen, several things must be set up just wrong.

First the sudo user group must give a user the right to use sudo but doesn't give the privilege of using it to run root commands. That can happen when you want a user to have the right to run specific commands that they wouldn't normally be able to use. Next, sudo must be configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification.

Read more

Potential bypass of Runas user restrictions

  • Potential bypass of Runas user restrictions

    When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

    This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

    Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.

Linux Sudo bug opens root access to unauthorized users

  • Linux Sudo bug opens root access to unauthorized users

    Sudo, the main command in Linux that allows users to run tasks, has been found to have a vulnerability that allows unauthorized users to execute commands as a root user.

    The vulnerability, known as CVE-2019-14287, does require a nonstandard configuration but nonetheless does open the door to unauthorized users.

    The vulnerability allows users to bypass the nonroot restriction by simply using -u#-1 in the command line. As The Hacker News described it Monday, the sudo security policy bypass issue allows “a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the ‘sudoers configuration’ explicitly disallows the root access.”

More Sudo Coverage

  • One of Linux's most important commands had a glaring security flaw
  • Sudo Vulnerability

    ‘sudo’ is one of the most useful Linux/UNIX commands that allows users without root privileges to manage administrative tasks. However, a new vulnerability was discovered in sudo package that gives users root privileges.

    “When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295,” according to the sudo advisory.

  • Linux/Unix exploit allows some restricted commands to be run as root without clearance

    The 'sudo' keyword in Unix and Linux allows users to execute certain commands with special-access privileges that cannot otherwise run on a given machine by a user with a lower level of clearance. Unsurprisingly, it is one of the most important commands in the entire Linux/Unix ecosystem, one that can substantially compromise the device's security if it is exploited.

    One such exploit/bug was discovered by Joe Vennix from Apple Information Security. The vulnerability has been titled CVE-2019-14287 in the Common Vulnerabilities and Exposure database. As stated before, 'sudo' lets you run commands that cannot otherwise be run by normal users on the machine. With CVE-2019-14287, you could circumvent this by simply changing the user ID to -1 or 4294967295 with the 'sudo' command. That means that by spoofing their identity, any user could execute restricted commands on the machine.

Big security flaw in Linux sudo command

  • Big security flaw in Linux sudo command

    Apple security researcher Joe Vennix has found a security bug in the important sudo command in Linux.

    The sudo command, which is short for “super user do”, is widely used in various Linux distributions to separate administrator-level permissions from ordinary system users.

    When installing programs, for instance, you would typically use the sudo command. Using sudo in front of any command or program causes it to be run as the administrator, or “root” user.

Security Flaw in Sudo...

  • Security Flaw in Sudo allows Users to Run Commands on Linux Systems

    Security researchers discovered a security bypass vulnerability in one of the most widely used Linux commands, the Sudo.

    According to researcher Joe Vennix, who discovered the vulnerability, the Sudo security bypass flaw can allow a malicious user to run random commands as root on a targeted Linux system. The researcher stated the vulnerability, named as CVE-2019-14287, works even when the Sudoers configuration forbids root access.

    Sudo, which stands for Superuser Do, is one of the most important and commonly used utilities that comes as a core command, installed on almost every UNIX and Linux-based operating system.

'Serious' Linux Sudo Bug's Damage Potential

  • 'Serious' Linux Sudo Bug's Damage Potential Actually May Be Small

    Developers have patched a vulnerability in Sudo, a core command utility for Linux, that could allow a user to execute commands as a root user even if that root access was specifically disallowed.

    The patch prevents potential serious consequences within Linux systems. However, the Sudo vulnerability posed a threat only to a narrow segment of the Linux user base, according to Todd Miller, software developer and senior engineer at Quest Software and a maintainer of the open source Sudo project.

    "Most Sudo configurations are not affected by the bug. Non-enterprise home users are unlikely to be affected at all," he told LinuxInsider.

Linux Sudo Bug Lets Non-Privileged Users To Run Commands As Root

More Linux Bug

  • Linux Sudo bug could allow hackers root access

    Security researchers have discovered a bug in Sudo that enables hackers to execute commands as root on a Linux system when the "sudoers configuration" explicitly disallows the root access.
    Sudo is a powerful utility that is installed on virtually every Unix and Linux system; it enables certain users or groups to execute commands in the context of any other user – including as root – without having to log in as a different user.
    Exploiting the vulnerability requires the user to have Sudo privileges that allow them to run commands with an arbitrary user ID, except root. This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database.

  • Linux Wi-Fi bug leaves systems vulnerable to forced crashes and full control by hackers

    A vulnerability has been discovered in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips on Linux system. A flaw in the driver could be exploited to either crash your device, or even allow an attacker to take full control of your system.

    The bug has been around for at least four years, and is described as 'serious' by security experts. It has been assigned CVE-2019-17666, and while a fix has been proposed, it's yet to be incorporated into the Linux kernel.

Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise

  • Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise

    A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel.

    The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.

    Specifically, the driver is vulnerable to a buffer overflow attack, where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable attackers to launch a variety of attacks – from crashing vulnerable Linux machines to full takeover.

"Driver checks whether the card is currently connected in p2p"

  • This Week In Security: A Digital Café Américain, The Linux Bugs That Weren't, The Great Nation, And More

    A problem in sudo was disclosed this week, that allowed users to run commands as root even when they don’t have permission to do so. Sudo allows a user to specify a numeric user ID instead of a username. It was discovered that specifying -1 as the user did something unexpected, it failed. Trying to switch to user -1 fails, but sudo runs the rest of the command anyway, as root instead of user -1. I was excited to test this simple vulnerability on a slightly out-of-date system. I created an unprivileged user, ran the sudo command, and got the expected security error, but no root access.

    [...]

    In some ways a similar story, a problem in the Linux Kernel’s Realtek driver was found on Monday. At first glance, it’s another terrifying vulnerability that affects every Linux user with a Realtek wireless card. It’s appears to be a standard buffer overflow, where the length of a field is checked in one way, but not checked to be under the maximum length. A longer than expected data field will overflow the buffer and cause problems. A code execution exploit has not yet been discovered, but it’s likely to be eventually found.

    The catch with this bug is that before the vulnerable code is called, the driver checks whether the card is currently connected in p2p mode. Here’s the check in question if you’re interested. This means that rather than being vulnerable to attack any time your Realtek is powered on, you aren’t actually at risk unless you’re talking to another device using the p2p WiFi mode. In all the Linux WiFi work I’ve done over the years, I don’t think I’ve ever used p2p mode on a wireless card under Linux.

  • A Linux Bug Can Be Exploited To Hack Systems Using Wi-Fi Signals

    An unpatched bug in Linux systems could be exploited to crash the entire operating system, even worse, gain control of the system via nearby devices using Wi-Fi signals.

    The flaw stems from the RTLWIFI driver that supports Realtek Wi-Fi chips in Linux systems. The driver flaw can be activated as soon as the affected device is brought under the radio range of a malicious device.

  • Unpaired Linux bug can open devices for serious attacks via Wi-Fi

    The vulnerability is tracked as CVE-2019-17666. Linux developers suggested a fix on Wednesday that is likely to be included in the OS kernel in the coming days or weeks. Only then will the fix find its way to various Linux distributions.

    [...]

    The article notes that the error "cannot be activated if Wi-Fi is disabled or if the device uses a Wi-Fi chip from another manufacturer."

Patch Awaited For A Critical Four-Year-Old Linux WiFi...

  • Patch Awaited For A Critical Four-Year-Old Linux WiFi Vulnerability

    Linux users unknowingly remained vulnerable to a serious security flaw for almost four years. Recently, a researcher highlighted a critical Linux WiFi vulnerability that could allow system compromise. The bug existed for four years and still awaits a patch.

    Reportedly, there is a security vulnerability affecting millions of Linux users. The vulnerability primarily affects the Realtek driver (rtlwifi) allowing an adversary to compromise the targeted system. As discovered by the researcher Nico Waisman, the Linux WiFi vulnerability existed for about four years.

Linux Could Open The Door To Serious Attacks Over Wifi Signals

  • Linux Could Open The Door To Serious Attacks Over Wifi Signals

    A potentially severe vulnerability in Linux might make it attainable for nearby units to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher mentioned.

    The flaw is situated within the RTLWIFI driver, which is used to help Realtek Wi-Fi chips in Linux gadgets. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is inside the radio and varies from a malicious device. At a minimal, exploits would cause a working-system crash and will possibly permit a hacker to achieve full management of the computer. The flaw dates again to version 3.10.1 of the Linux kernel launched in 2013.

    The vulnerability is tracked as CVE-2019-17666. Linux builders proposed a fix that can doubtless be included in the OS kernel within the coming days or weeks. Only after that can the repair make its means into various Linux distributions.

More of this FUD

  • Linux Could Open The Door To Serious Attacks Over Wifi Signals [Ed: This FUD came from a Microsoft employee and was initially spread by a site where Microsoft employed convicted people to attack Linux and FOSS. This is false, It’s FUD. Nobody enables P2P mode. Almost nobody.]

    A potentially severe vulnerability in Linux might make it attainable for nearby units to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher mentioned.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

8 great podcasts for open source enthusiasts

Where I live, almost everything is a 20- or 30-minute drive from my home, and I'm always looking for ways to use my car time productively. One way is by listening to podcasts on topics that interest me, so as an open source enthusiast, I subscribe to a variety of open source-related podcasts. Here are eight Linux and open source podcasts that I Iook forward to every week. Read more

Leftovers: Certifications, KDE, Ubuntu and Security

  • Top 5 options for Linux certifications

    Linux certifications present an interesting mix of distribution- and brand-agnostic credentials, as well as vendor-specific ones. Many of these offerings provide data center professionals with defined pathways to learn, use and master Linux OS management, features and potential Linux use cases. Other programs are more ad hoc and specific to certain IT roles, such as systems engineers or IT administrators, but they go beyond self-taught curriculums and forums. Each program includes coursework and an exam. Depending on the certification, admins can buy everything as a bundle or pay separately for study materials and exams.

  • SimpleMailQt v2.0.0-beta1

    On my last post I talked about the new async simplemail-qt API that I wanted to add, yesterday I finished the work required to have that. SMTP (Simple Mail Transfer Protocol) as the name says it’s a very simple but strict protocol, you send a command and MUST wait for the reply, which is rather inefficient but it’s the way it is, having it async means I don’t need an extra thread (+some locking) just to send an email, no more GUI freezes or an HTTP server that is stalled. The new Server class has a state machine that knows what reply we are waiting, and which status code is the successful one. Modern SMTP servers have PIPELING support, but it’s rather different from HTTP PIPELING, because you still have to wait for several commands before you send another command, in fact it only allows you to send the FROM the RECIPIENTS email list and DATA commands at once, parse each reply and then send the mail data, if you send the email data before you are allowed by the DATA command the server will just close the connection.

  • Plasma 5 for Slackware – November ktown release

    Dear all, today I released KDE-5_19.11 and it comes with some upgrades to official Slackware packages. Don’t worry – Pat Volkerding kindly added the shared libraries of the official Slackware packages to aaa_elflibs, so if you have been updating your Slackware-current installation properly then nothing will break when you update Slackware’s exiv2 and LibRaw packages to the newer versions contained in the November release of ‘ktown‘. Official Slackware package updates for exiv2 and LibRaw will come sometime soon, but it will require Pat to recompile several other packages as well that depend on exiv2 and/or LibRaw. I needed the new exiv2 to compile the latest digikam, so I was pleased with Pat’s cooperation to make this a smooth ‘ktown‘ upgrade for you.

  • Ubuntu Weekly Newsletter Issue 604
  • Ubuntu-ready Apollo Lake mini-PC features Myriad X AI accelerator

    IEI’s rugged, “ITG-100AI” DIN-rail PC runs on an Apollo Lake SoC and a new “Mustang-MPCIE-MX2” mini-PCIe card with dual Myriad X VPUs. The system ships with 8GB RAM and a 128GB SATA SSD plus GbE, serial, USB, and M.2. IEI has launched a compact, Intel Apollo Lake based “ITG-100AI” computer for industrial AI that showcases its Mustang-MPCIE-MX2 AI acceleration card. The fanless, 137 x 102.8 x 49.4mm ITG-100AI supports DIN-rail or desktop mounting and offers a 0 to 50°C range with airflow, as well as 5G shock resistance compliant with IEC68-2-27 and vibration resistance per MIL-STD-810G 514.6C-1.

  • Vulnerability Values Fluctuate Between White, Grey and Black Hats

    A black hat selling vulnerabilities can make as much money as a white hat researcher using bug bounty programs, or a grey hat working for a nation state doing reverse engineering. Speaking at a Tenable conference in London last week, director of research Oliver Rochford said that to have people do vulnerability research is expensive, and all of the white, black and grey markets are symbiotic, as despite the difference between being legal and illegal, the different factors “mirror each other as it starts with vulnerability discovery.” Rochford said that this “shows how professional cybercrime has become,” pointing to the fact that the main difference between criminal and legal sides are ethics. In one slide, Rochford pointed out vulnerability discovery, exploit research and development are the same for both offense and defensive sides, while the differences fall at the "operationalization" side, where offensive sides look at espionage, sabotage and fraud, while defense sides look at threat intelligence and compensating control adaptation. In his research, Rochford showed that in some cases you can earn more as a white hat vulnerability manager than as a black hat, with a black hat able to earn around $75,000 in this sort of work. Rochford said this “is achievable and attractive” and while it was more lucrative to do it legally, if it is not “it is a way to make a living.”

  • Name That Toon: Endpoint Protection

Slow Connections Discriminated Against: Google Stadia and Google Chrome

  • Google reveal Stadia will only have 12 games available at launch, more later in the year

    With the Stadia streaming service from Google launching on November 19th for those with the Founder's Edition or Premiere Edition, they're finally revealing what will be available. It will only have 12, yes 12, titles at launch and a few of them are sequels. They are: Assassin's Creed Odyssey, Destiny 2, GYLT, Just Dance 2020, Kine, Mortal Kombat 11, Red Dead Redemption 2, Thumper, Tomb Raider + Rise + Shadow and lastly Samurai Showdown. The only title you will get included in the Stadia Pro subscription (three months free with the Founder/Premier Edition) is Destiny 2, all others you have to pay for. If you stop paying for Stadia Pro, you lose access to any free games claimed and only keep those you've paid for normally.

  • Google Chrome To Begin Marking Sites That Are Slow / Fast

    Chrome has successfully shamed web-sites not supporting HTTPS and now they are looking to call-out websites that do not typically load fast. Google announced today that they will begin marking websites that are often either loading slow or fast. Chrome developers are experimenting with ways to show whether a website typically loads fast or slow so the user is aware even before they navigate to a given web page or web app. The changes will be rolled out in future Chrome updates.

Shows and Screencasts: Linux Headlines, Frank Karlitschek, Linux Action News and OpenIndiana 2019.10 Run Through

  • 2019-11-11 | Linux Headlines 46

    Steam gets support for Linux namespaces, some distributions are struggling with the shift from Python 2, Arch Linux supports reproducible builds, and GNOME has a new app in beta.

  • Will Europe Succeed At Democratizing The Cloud?

    Europe (led by Germany and France) is contemplating Gaia-X, its own cloud infrastructure to create interoperability among clouds and also allow local companies to compete in the cloud market dominated by US companies like AWS, Microsoft and Google. It’s an ambitious effort, but will it work? We sat down with Frank Karlitschek, founder of Nextcloud to discuss.

  • Linux Action News 131

    Google steps up support for older Chromebooks, Microsoft Edge is coming to Linux, and the App Defense Alliance teams up to fight Android malware. Plus Google Cardboard goes open source, and a neat machine-learning tool to pull songs apart.

  • OpenIndiana 2019.10 Run Through

    In this video, we are looking at OpenIndiana 2019.10. Enjoy!