Apple Information Security expert Joe Wennix discovered sudo vulnerability in sudo CVE-2019-14287. Fortunately, the problem does not occur with standard configuration settings, that is, most users of Linux systems are safe.
Explain the essence of the problem is easiest with an example. The bug is associated with the use of / etc / sudoers rules, which allow the execution of a specific command on behalf of any other user (using his UID), except for root. For example, the user bob as sudoer on the mybox server can run the Vi text editor on behalf of any user except root:
mybox bob = (ALL,! root) / usr / bin / vi
However, if imaginary Bob uses -u # -1, he can bypass this limitation and launch Vi as root:
sudo -u # -1 vi
In fact, to exploit the problem, you need to try to execute a command with UID “-1” or “4294967295”, which will lead to its execution with UID 0. The fact is that using -u # -1 does not lead to a change in UID. Since sudo is already running as root, instead of changing the UID, the target command also runs as root.
Wennix recommends users upgrade sudo to version 1.8.28 released this week, where the value “-1” is no longer accepted. The patch for this problem is already available, and the vulnerability has been fixed in all major distributions, including Debian, Arch linux, SUSE / openSUSE, Ubuntu, Gentoo and Freebsd.