Apple Information Security researchers found the Bug in Linux Sudo.
Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.
What is the vulnerability in Sudo?
Sudo vulnerability assigned as CVE-2019-14287, the flaw exists root level access, which is allowing a program to execute arbitary command as root on a targeted Linux system even if the permission has been denied.
How it is affected?
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier, as per research.
Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier.
myhost alice = (ALL) /usr/bin/id
Not only is user is able to run the id command as any valid user, she is also able to run it as an arbitrary user ID by using the #uid syntax,
sudo -u#1234 id -u
would return 1234. However, the setresuid(2) and setreuid(2) system calls, which sudo uses to change the user ID before running the command, treat user ID -1 (or its unsigned equivalent 4294967295), specially and do not change the user ID for this value. As a result,
sudo -u#-1 id -u or sudo -u#4294967295 id -u
will actually return 0. This is because the sudo command itself is already running as user ID 0 so when sudo tries to change to user ID -1, no change occurs.
This results in sudo log entries that report the command as being run by user ID 4294967295 and not root (or user ID 0). Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.
If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction.
For example, given the following sudoers entry:
myhost bob = (ALL, !root) /usr/bin/vi
User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.
Only sudoers entries where the ALL keyword is present in the Runas specifier are affected.
For example, the following sudoers entry is unaffected:
myhost alice = /usr/bin/id
In this example, alice is only allowed to run the id command as root.
Any attempt to run the command as a different user will be denied.
The Sudo command bug has been fixed with updated version 1.8.28. If you are using Linux, then you need to update to the latest version.