Fixing the Linux sudo security flaw.

Sudo fixing sudo.

There is a root exploit vulnerability within older versions of “sudo”. The actual exploit is described in detail by Mohit Kumar in The Hacker News. Acquiring root sudo control over a system gives complete control. Mohit points to the sudo developer statement:

“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification,” the Sudo developers say.

For elaboration sake, “sudo” is the superuser on Linux based machines (granted this article is specifically centered around the fix for the Ubuntu distro). “sudo” is equivalent to the administrator on a Windows based machine. Pretty much everyone is impacted by it that uses the internet whether they use a Linux desktop or not. As an example Google uses more than 15,000 Linux based servers alone. If a machine that accounting software or accounting data is either hosted, stored on, or passes through (such as with AWS or via a virtual machine) there is a good chance you are indirectly vulnerable. Something like this is what makes the whole migration (once again) to the cloud queezy. If you directly use Linux the rest of this article is for you.

In a recent engadget article by Jon Fingas outlined the resolve to the security flaw within the “sudo” command that would permit someone that had first hand access to a systems terminal to gain root access by using a userID of -1 or its numeric unassigned equivalent of 4294967295. In the article he pointed out the fix was already addressed in Linux by updating to one of the “newer sudo packages (1.8.28 or later) to fix the flaw”.

The fix is simple. Following Daniel Elkabes’ recommendations in a WhiteSource article:

Our best advice is to keep calm, and make sure you update your open source software components.

Referencing Ubuntu’s security notices:

USN-4154-1: Sudo vulnerability
14 October 2019

sudo vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 19.04
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM
Ubuntu 12.04 ESM

Sudo could be made to run commands as root if it called with a specially crafted user ID.

Software Description
sudo – Provide limited super user privileges to specific users

Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the root user.

Update instructions
The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

Ubuntu 18.04 LTS

Ubuntu 16.04 LTS

Ubuntu 14.04 ESM
sudo – 1.8.9p5-1ubuntu1.5+esm2
sudo-ldap – 1.8.9p5-1ubuntu1.5+esm2

Ubuntu 12.04 ESM
sudo – 1.8.3p1-1ubuntu3.8
sudo-ldap – 1.8.3p1-1ubuntu3.8

To update your system, please follow these instructions:

Putting this all together the actual update release is Ubuntu version specific (not necessarily the referenced generic “version 1.8.28” mentioned in the previous articles). Linux users can check to see what version is currently installed by opening a terminal window and entering the command at the prompt ($):

dpkg -l sudo

You should see an output similar to:

Note that my package was updated with the last system update. Should your dpkg -l sudo output not match the specified release within the “Update Instructions” you need to update your copy of sudo. You can do so by inputting the following at the command line ($):

sudo apt-get update

sudo apt-get install sudo

With the up to-date version installed the output from the above machine indicates that the installed version is the current version, and it indeed does match the documentation for Ubuntu 18.04 LTS found in the Ubuntu security notice. If you had an older version of sudo the most current package would have been installed, and you would have been patched for this vulnerability.

While for some it may be discomforting for a vulnerability to exist for such a command, Ubuntu was on top of things alerting the community with their security notice. We can all rest easier for another night.

Leave a Reply

Your email address will not be published. Required fields are marked *