A patch has been released for a vulnerability in Sudo that can be exploited by an unprivileged attacker to gain full root permissions on the targeted system.
Sudo is a popular utility that system administrators can use to allow users to execute some commands as root or another user. Sudo is present in various Linux distributions and Apple’s macOS operating systems.
Joe Vennix, a security expert from Apple, discovered that Sudo is affected by a buffer overflow vulnerability that can be exploited to escalate privileges on the targeted system. The flaw impacts the pwfeedback option in Sudo.
When the sudo command is used and users are prompted to enter their password, they do not get any feedback when typing the password. However, if the pwfeedback option is enabled, an asterisk is printed on the screen for each character of the password in order to provide some visual feedback to the user.
The pwfeedback option is disabled by default, but in some operating systems, such as Linux Mint and Elementary OS, it’s enabled by default in the sudoers file, where the sudo privileges of users and groups are defined. In addition, many administrators find it useful and manually enable the option.
If the pwfeedback option is enabled in sudoers, an attacker who has access to the system — even if they are not listed in the sudoers file — can trigger the buffer overflow by passing a large input to sudo via a pipe when it prompts for the password. Exploitation can allow the attacker to escalate privileges to the root account.
“Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability,” Sudo developers wrote in an advisory.
The vulnerability is tracked as CVE-2019-18634 and it has impacted Sudo versions starting with 1.7.1, which was released back in 2009. While the underlying issue is still present in more recent versions, exploitation does not appear to be possible in versions since 1.8.26, which was released in 2018.
The weakness has now been fixed in version 1.8.31. As a workaround, users can simply disable pwfeedback.
Apple and Linux distributions such as Red Hat, Ubuntu and Debian have also released patches or mitigations for the vulnerability.
Related: Libarchive Vulnerability Impacts Multiple Linux Distributions
Related: Serious Vulnerabilities in Linux Kernel Allow Remote DoS Attacks
Related: Linux Flaw Allows Sudo Users to Gain Root Privileges