The Sudo utility that is installed as a command on almost every Linux and Unix system is affected by a security policy bypass issue tracked as CVE-2019-14287.
The vulnerability could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “
were designed to run commands only as the
“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.
Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.”
Unlike the su command, users must, by default, supply their password for authentication, rather than the password of the target user. Once authenticated, and if the configuration file (/etc/sudoers) permits the user access, the system will invoke the requested command.
Administrators can configure a
Now, due to the CVE-2019-14287 flaw, even is a user is not allowed to run a specific command as root it is possible to bypass the restriction
An attacker could exploit the vulnerability to run commands
“Fixed CVE-2019-14287, a bug where a sudo user may be able to + run a command as root when the Runas specification explicitly + disallows root access as long as the ALL keyword is listed first.” states the advisory.
So, even if a user has been restricted to run a specific, or any, command as root, the vulnerability could allow the user to bypass this security policy and completely take over the system.
“Exploiting the bug requires that the user
“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.”
“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.
If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:”
myhostbob = (ALL, ! root) /usr/bin/ vi
User bob is allowed to run
The CVE-2019-14287 vulnerability was discovered by Joe Vennix of Apple Information Security, it affects Sudo versions prior to 1.8.28.
Linux users urge to update