All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CVE-2019-14287: sudo allows to run commands as root by specifying the user ID -1
sudo versions prior to 1.8.28 are affected.
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.
Ref.: https://www.sudo.ws/alerts/minus_1_uid.html
The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password.
The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today (10.14), a few hours ago and would soon be rolled out as an update by various Linux distributions to their users.
Ref.: https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html
Comments
Interesting that 1.8.28 didn't show up as a security update.
This is sooo juicy.
But the user has to be listed in sudoers so it's not like your average privileged user just got a free pass.
I believe CVE-2019-14835 is quite interesting too among recently disclosed issues
"A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host."
In other words, KVM guests are able to escalate their privileges to takeover the host.
Didn't sudoers already get root access when you run commands as sudo?
Yes but you can restrict some binaries to only accessible by certain users among the sudoers
Meanwhile, OpenBSD is...
wait for it...
...not vulnerable, because they threw out sudo due to other issues and replaced it with their own, more secure alternative, doas.
As I understand from the sudo.ws webpage:
Yes, the flaw occurs in a very specific scenario. Sudo has to be set up to allow a user to run a specific command as "any other user except root", e.g.:
user = (ALL, !root) /usr/bin/vi
Edit: updates for Ubuntu released: https://usn.ubuntu.com/4154-1/
Very true. Of course, doas has it's own vulnerabilities which nobody ever finds because nobody uses OpenBSD.
edited: Oh I get it now, the bug is that
(ALL, !root)
did not work as expected.Lovely. 64 bit and 32 bit signed and unsigned integers all funnily mingled and as added bonus non existing users treated as root. Great.
Plus short "cool" identifiers used because, you know, editors can't do autocomplete and because, well because he can and is a cool unix security hackzor.
Plus, sadly, the (ALL, !root) construct isn't that rarely found.
Enjoy your warm "linux/unix keeps us secure" feeling while it lasts ...
Ah, that is a very specific condition. I didn't even know it existed. I guess it is good when you want users to get shared ssh access with elevated permissions without giving them root permissions. Doesn't matter for those who owns their own private servers through...
^^^ This ^^^
The difference being it's patched quickly and doesn't take 40 minutes to update the OS.
Pardon me but what's the worth of that considering that millions and millions of sudo users were exposed to a significant vulnerability for many years?
Let's be honest: that code has been sloppily and carelessly hacked (as opposed to being developed to good engineering standards). The sad fact is that that code would not even be accepted in a truly professional and security minded setting.
If anyone wants a TL;DR it is "careless, ignorant, sloppy, error-prone".
^ can't argue against that, though I've never seen that particular usage of sudo before.
I always warmed about negative numbers, they are evil and sneaky.
By the way, when I was doing my daily servers checkup, it surprised me to see "sudo" in the list of package needing to be updated.
Now we only need to find SSH Key based authentication bug, so noone would need passwords to take over machines
Have you ever heard about Firewall?
Its very affective.
Its affective, but there are so many servers with public ssh accessable...
Isn't that rarely found? When and why would this be used commonly? Most users just Google for passwordless or running an application with specific permissions, I don't see everyday people stumbling into a HowTo post that people blindly copy.
Windows for the win!
Previously ubuntu used to be shipped with default passwordless sudo. Escalating privileges was easy.
Later, Debian stopped giving sudo by default.
You still need the allowed program to do something. I know this is bad, but this is just first step.
Whatever program is allowed in sudo, needs to be able to write or run something malicious as root, for a privilege escalation.