Linux Vulnerability Sudo Command, Patch Now

Forum Moderators: bakedjake

Message Too Old, No Replies

Linux Vulnerability Sudo Command, Patch Now

engine

11:34 am on Oct 15, 2019 (gmt 0)

There's a security vulnerability in Linux Sudo command and the developers have patched it. Update now to v1.8.28 or later where the bug is fixed.

The quirk revolved around sudo's treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalent 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The user IDs in question don't exist in the password database, either, so the command won't require a password to use.

[engadget.com...]

[sudo.ws...]

graeme_p

11:54 am on Oct 15, 2019 (gmt 0)

This is only a problem if you use sudo to give people restricted access. If you use sudo to give users root it changes nothing.

ogletree

3:08 am on Oct 16, 2019 (gmt 0)

My server guy said that Cent OS 6 does not have access to the new version of SU, but said that I have nothing to worry about since we don't use it that way.

Milchan

2:16 pm on Oct 17, 2019 (gmt 0)

My server guy said that Cent OS 6 does not have access to the new version of SU, but said that I have nothing to worry about since we don't use it that way.

I presume he means that the current version provided by the repos set to be used by yum does not contain the new version - but that wouldn't stop him from setting up alternative repos or installing/compiling from source. Ive not tried this though and my instinct says there is a possibility that could get tricky depending on what other binaries might depend on su.

Im guessing there will be an update quite quick though for something that serious

ogletree

4:47 pm on Oct 17, 2019 (gmt 0)

Since we are not using SU in such a way that this would affect us I'm not worried about it.

engine

5:17 pm on Oct 17, 2019 (gmt 0)

Even if you don't use it now it's worth updating if you have it.

JorgeV

5:27 pm on Oct 17, 2019 (gmt 0)

Hello-

The infamous negative numbers fail.

nb: I have the right to be sarcastic, because, I made the same mistake in my a PHP script once :)

graeme_p

9:53 am on Oct 18, 2019 (gmt 0)

su? This is about sudo, not su. They are different things and on all distros I know. On Centos su is provided by the util-linux package while sudo is provided by the sudo package.

Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier.

Essentially you let people run a command as any user except those specifically listed, and then this lets user get around restrictions like "run as any user but root". Not common - sudo is generally used to let people run commands as root. No problem with that (because they have root access anyway), and no problem with run specified commands as only specified users (because then you never specify ALL). The latter is much better than "all but exceptions" because it does not increase access when you add new users.

So, you will probably get an update soon, and its a serious but obscure issue rather than a serious and common one.

mcneely

11:32 am on Oct 22, 2019 (gmt 0)

I always keep an eye out for stuff like this when it comes down the line ... I update server side and locally as a rule because it's all Linux on both