New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
JUST NOW: Huge exploit in "sudo" allows users to gain root privileges
https://www.sudo.ws/alerts/unescape_overflow.html
Now this is a disaster if there is one.
Solution: update to sudo 1.9.5p2
Comments
I wonder how Feralhosting is right now with sudo installed in all of their shared systems lol
I'm not a customer there anymore but it was probably patched immediately, admins of large setups like that tend to have their eye on security news a lot more than the average malicious user does. I imagine it would take far less time for them to upgrade or apply a patch than it would for an unprepared malicious actor to discover the exploit and then work out how to use it.
Keep your systems up to date, especially when theres news like this, and you'll generally be perfectly fine.
How to update sudo to the latest version? my current cPanel and DA servers using 1.8.23.
is it necessary to install custom package (latest version of sudo), meanwhile my ubuntu 20.04 still using 1.8.31 and CL using 1.8.23 ?
# sudo is already the newest version (1.8.31-1ubuntu1.2).
Some my vps ask to update, some not.
Maybe depends.
To upgrade sudo you should locate packages for your system which look like the below ones in this page https://www.sudo.ws/dist/packages/1.9.5p2/
Then
wget https://www.sudo.ws/dist/packages/1.9.5p2/sudo_1.9.5-3_[$OS_$architecture].deb/rpm
wget https://www.sudo.ws/dist/packages/1.9.5p2/sudo-logsrvd_1.9.5-3_[$OS_$architecture].deb/rpm
wget https://www.sudo.ws/dist/packages/1.9.5p2/sudo-python_1.9.5-3_[$OS_$architecture].deb/rpm
# ldap file is only available for deb based OS:
wget https://www.sudo.ws/dist/packages/1.9.5p2/sudo-ldap_1.9.5-3_[$OS_$architecture].deb
In short you need sudo, sudo-logsrvd, sudo-ldap and sudo-python. Just ctrl+f the page.
Then as root
dpkg -i *.deb
or
rpm -U *.rpm
(No need to uninstall existing installation first)
You don't need 1.9.5p2 exactly.
Debian/Ubuntu (maybe other OS) issued patch for current sudo version.
To check if sudo patched, update OS and try
sudoedit -s /
patched sudo version will show help string like 'usage: sudoedit ...' instead of error.
CloudLinux shared hosting servers should be ok
Inside CageFS there is no sudo
$ sudo
-bash: sudo: command not found
btw version 18.23-10 el7 and forks
and sudo-1.8.29-6 el for el 8.3 and
are patched
Thank you, @stefeman - that's indeed a very major clusterf_ck.
@All
Note that the affected sudo versions boil down to pretty much any version of the last years that is, older Ubuntus as well as the newest (not yet updated) linuxen.
What to do? Update! (and hope there's not more crap)
EDIT:
@coolice No, 'sudoedit -s /' wouldn't do the trick anyway. The example provided has an additional dynamic argument (using Perl) that prints out lots of (normal) characters. Plus, of course the non-alnum last character (in your case '/') needs to be quoted.
If you are running a shared host at all (people other than yourself have SSH access) then you need to update ASAP, via your distro's updated package if available already of a side-install or build-it-yourself. Or if you don't actually use sudo, remove it, though not using sudo and instead using privileged accounts directly is usually not considered best practise.
For other arrangements the issue is less urgent as it isn't directly remotely exploitable (you need to gain access to a local user account before being able to escalate), though in theory the bug could be used in conjunction with any bugs that might existing in Internet facing services.
OpenBSD is laughing at all of you. They threw out sudo due to security issues back in 2015 and replaced it with their homegrown utility, doas, which does the same thing but with far simpler syntax and not these kinds of security issues.
So what's the command to actually gain a root shell?
I couldn't hear from their dusty corner
Good to know, but there should be many layers of defence. Everyone should take it as a chance to improve
I just installed sudo on a FreeBSD VM and can confirm that OpenBSD indeed is oh so much more secure wrt his single case - in others FreeBSD is more secure and/or better. But that's anyway a nonsensical race and the correct statement seems to be "[whatever]BSD is more secure than linux", which in a way is nonsensical too because linux' focus point wasn't/isn't security anyway but end user usability (and "funny" experiment and religious verve (e.g. "Bazaar")).
FWIW I do not have sudo on my FreeBSD servers anyway.
From the Qualys analysis:
sudoedit -s '\'
perl -e 'print "A" x 65536'``(Sorry but I won't waste time on Vanilla's formatting)
Considering how much of FreeBSD's security-oriented code started in OpenBSD, I'm not sure that's true. FreeBSD in some ways is an out-of-date OpenBSD.
In some environments I've worked in, sysadmins get tired of user requests so they just give sudo to users with ALL. Horrific. In better environments, sysadmins use sudo as a last resort...before it came along, people used groups and group permissions more, and you can get a long ways with those without needing to get into sudo in a lot of cases.
Hmm…
Putting a smaller number such as 1024 prints a stack trace.
But it doesn't work in GDB or Valgrind.
I won't enter in that kind of xBSD vs yBSD discussion. From my POV both are quite good and both have their stronger point and a few weaker ones, but neither is crappy.
Classical case of ideal world vs. real world...
Sorry, my focus isn't on that but on the fact that "holy" sudo is vulnerable. And evil hackzors don't care either; any vulnerability will do for them.
But I can state that that vulnerability
sudo, you had ONE JOB
Wow... It's been vulnerable for nearly ten years (the bad commit is https://github.com/sudo-project/sudo/commit/8255ed69 from July 2011)
Most of my servers auto-updated with the the security patch. Thanks, unattended-upgrades.
"Feral"? What a name. Reminds me of the other post about "cockbox".
If I'm still in college, there are three things I can do with sudo vulnerability:
Neither is particularly useful:
I want a Linux kernel or LXC vulnerability, so I can double my RAM without haggling with @brueggus every month.
Which means that the vulnerability has probably been used in the wild in the past.
Centos 7 1.8.23-10.el7_9.1.x86_64 and Debian Buster 1.8.27-1+deb10u already available for upgrade with fixes
The idea is the exploit just allows you to write shellcode into some arbitrary location, you still need to get
sudoedit
to jump to your shellcode to get the actual privesc.ii sudo 1.8.27-1+deb10u3 amd64 Provide limited super user privileges to specific users
Whee, now my idling babies are safe 😂
https://blog.cloudlinux.com/a-new-sudo-package-with-the-cve-2021-3156-fix-for-cloudlinux-7-and-cloudlinux-8-released
From cloudlinux blog, if your servers got 500 internal server error when install the sudo patch.
You may remove yum cache first with rm -rfv /var/cache/yum, and then re-update sudo*
My CentOS 7 boxes got their sudo updates last night.
sudo yum update sudo
Tested by runningNow returns usage, not a segmentation fault, which means it's patched. Have not yet checked my ubuntu's.
Arguably, they aren't a sysadmin, then.
Also, reminds me of https://xkcd.com/1200/.