Language Selection

English French German Italian Portuguese Spanish

Linux security hole: Much sudo about nothing

Filed under
Linux
Security

There's a lot of hubbub out there now about a security hole in the Unix/Linux family's sudo command. Sudo is the command, which enables normal users to run commands as if they were the root user, aka the system administrator. While this sudo security vulnerability is a real problem and needs patching, it's not nearly as bad as some people make it out to be.

At first glance the problem looks like a bad one. With it, a user who is allowed to use sudo to run commands as any other user, except root, can still use it to run root commands. For this to happen, several things must be set up just wrong.

First the sudo user group must give a user the right to use sudo but doesn't give the privilege of using it to run root commands. That can happen when you want a user to have the right to run specific commands that they wouldn't normally be able to use. Next, sudo must be configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification.

Read more

Potential bypass of Runas user restrictions

  • Potential bypass of Runas user restrictions

    When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

    This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

    Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.

Linux Sudo bug opens root access to unauthorized users

  • Linux Sudo bug opens root access to unauthorized users

    Sudo, the main command in Linux that allows users to run tasks, has been found to have a vulnerability that allows unauthorized users to execute commands as a root user.

    The vulnerability, known as CVE-2019-14287, does require a nonstandard configuration but nonetheless does open the door to unauthorized users.

    The vulnerability allows users to bypass the nonroot restriction by simply using -u#-1 in the command line. As The Hacker News described it Monday, the sudo security policy bypass issue allows “a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the ‘sudoers configuration’ explicitly disallows the root access.”

More Sudo Coverage

  • One of Linux's most important commands had a glaring security flaw
  • Sudo Vulnerability

    ‘sudo’ is one of the most useful Linux/UNIX commands that allows users without root privileges to manage administrative tasks. However, a new vulnerability was discovered in sudo package that gives users root privileges.

    “When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295,” according to the sudo advisory.

  • Linux/Unix exploit allows some restricted commands to be run as root without clearance

    The 'sudo' keyword in Unix and Linux allows users to execute certain commands with special-access privileges that cannot otherwise run on a given machine by a user with a lower level of clearance. Unsurprisingly, it is one of the most important commands in the entire Linux/Unix ecosystem, one that can substantially compromise the device's security if it is exploited.

    One such exploit/bug was discovered by Joe Vennix from Apple Information Security. The vulnerability has been titled CVE-2019-14287 in the Common Vulnerabilities and Exposure database. As stated before, 'sudo' lets you run commands that cannot otherwise be run by normal users on the machine. With CVE-2019-14287, you could circumvent this by simply changing the user ID to -1 or 4294967295 with the 'sudo' command. That means that by spoofing their identity, any user could execute restricted commands on the machine.

Big security flaw in Linux sudo command

  • Big security flaw in Linux sudo command

    Apple security researcher Joe Vennix has found a security bug in the important sudo command in Linux.

    The sudo command, which is short for “super user do”, is widely used in various Linux distributions to separate administrator-level permissions from ordinary system users.

    When installing programs, for instance, you would typically use the sudo command. Using sudo in front of any command or program causes it to be run as the administrator, or “root” user.

Security Flaw in Sudo...

  • Security Flaw in Sudo allows Users to Run Commands on Linux Systems

    Security researchers discovered a security bypass vulnerability in one of the most widely used Linux commands, the Sudo.

    According to researcher Joe Vennix, who discovered the vulnerability, the Sudo security bypass flaw can allow a malicious user to run random commands as root on a targeted Linux system. The researcher stated the vulnerability, named as CVE-2019-14287, works even when the Sudoers configuration forbids root access.

    Sudo, which stands for Superuser Do, is one of the most important and commonly used utilities that comes as a core command, installed on almost every UNIX and Linux-based operating system.

'Serious' Linux Sudo Bug's Damage Potential

  • 'Serious' Linux Sudo Bug's Damage Potential Actually May Be Small

    Developers have patched a vulnerability in Sudo, a core command utility for Linux, that could allow a user to execute commands as a root user even if that root access was specifically disallowed.

    The patch prevents potential serious consequences within Linux systems. However, the Sudo vulnerability posed a threat only to a narrow segment of the Linux user base, according to Todd Miller, software developer and senior engineer at Quest Software and a maintainer of the open source Sudo project.

    "Most Sudo configurations are not affected by the bug. Non-enterprise home users are unlikely to be affected at all," he told LinuxInsider.

Linux Sudo Bug Lets Non-Privileged Users To Run Commands As Root

More Linux Bug

  • Linux Sudo bug could allow hackers root access

    Security researchers have discovered a bug in Sudo that enables hackers to execute commands as root on a Linux system when the "sudoers configuration" explicitly disallows the root access.
    Sudo is a powerful utility that is installed on virtually every Unix and Linux system; it enables certain users or groups to execute commands in the context of any other user – including as root – without having to log in as a different user.
    Exploiting the vulnerability requires the user to have Sudo privileges that allow them to run commands with an arbitrary user ID, except root. This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database.

  • Linux Wi-Fi bug leaves systems vulnerable to forced crashes and full control by hackers

    A vulnerability has been discovered in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips on Linux system. A flaw in the driver could be exploited to either crash your device, or even allow an attacker to take full control of your system.

    The bug has been around for at least four years, and is described as 'serious' by security experts. It has been assigned CVE-2019-17666, and while a fix has been proposed, it's yet to be incorporated into the Linux kernel.

Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise

  • Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise

    A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel.

    The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.

    Specifically, the driver is vulnerable to a buffer overflow attack, where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable attackers to launch a variety of attacks – from crashing vulnerable Linux machines to full takeover.

"Driver checks whether the card is currently connected in p2p"

  • This Week In Security: A Digital Café Américain, The Linux Bugs That Weren't, The Great Nation, And More

    A problem in sudo was disclosed this week, that allowed users to run commands as root even when they don’t have permission to do so. Sudo allows a user to specify a numeric user ID instead of a username. It was discovered that specifying -1 as the user did something unexpected, it failed. Trying to switch to user -1 fails, but sudo runs the rest of the command anyway, as root instead of user -1. I was excited to test this simple vulnerability on a slightly out-of-date system. I created an unprivileged user, ran the sudo command, and got the expected security error, but no root access.

    [...]

    In some ways a similar story, a problem in the Linux Kernel’s Realtek driver was found on Monday. At first glance, it’s another terrifying vulnerability that affects every Linux user with a Realtek wireless card. It’s appears to be a standard buffer overflow, where the length of a field is checked in one way, but not checked to be under the maximum length. A longer than expected data field will overflow the buffer and cause problems. A code execution exploit has not yet been discovered, but it’s likely to be eventually found.

    The catch with this bug is that before the vulnerable code is called, the driver checks whether the card is currently connected in p2p mode. Here’s the check in question if you’re interested. This means that rather than being vulnerable to attack any time your Realtek is powered on, you aren’t actually at risk unless you’re talking to another device using the p2p WiFi mode. In all the Linux WiFi work I’ve done over the years, I don’t think I’ve ever used p2p mode on a wireless card under Linux.

  • A Linux Bug Can Be Exploited To Hack Systems Using Wi-Fi Signals

    An unpatched bug in Linux systems could be exploited to crash the entire operating system, even worse, gain control of the system via nearby devices using Wi-Fi signals.

    The flaw stems from the RTLWIFI driver that supports Realtek Wi-Fi chips in Linux systems. The driver flaw can be activated as soon as the affected device is brought under the radio range of a malicious device.

  • Unpaired Linux bug can open devices for serious attacks via Wi-Fi

    The vulnerability is tracked as CVE-2019-17666. Linux developers suggested a fix on Wednesday that is likely to be included in the OS kernel in the coming days or weeks. Only then will the fix find its way to various Linux distributions.

    [...]

    The article notes that the error "cannot be activated if Wi-Fi is disabled or if the device uses a Wi-Fi chip from another manufacturer."

Patch Awaited For A Critical Four-Year-Old Linux WiFi...

  • Patch Awaited For A Critical Four-Year-Old Linux WiFi Vulnerability

    Linux users unknowingly remained vulnerable to a serious security flaw for almost four years. Recently, a researcher highlighted a critical Linux WiFi vulnerability that could allow system compromise. The bug existed for four years and still awaits a patch.

    Reportedly, there is a security vulnerability affecting millions of Linux users. The vulnerability primarily affects the Realtek driver (rtlwifi) allowing an adversary to compromise the targeted system. As discovered by the researcher Nico Waisman, the Linux WiFi vulnerability existed for about four years.

Linux Could Open The Door To Serious Attacks Over Wifi Signals

  • Linux Could Open The Door To Serious Attacks Over Wifi Signals

    A potentially severe vulnerability in Linux might make it attainable for nearby units to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher mentioned.

    The flaw is situated within the RTLWIFI driver, which is used to help Realtek Wi-Fi chips in Linux gadgets. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is inside the radio and varies from a malicious device. At a minimal, exploits would cause a working-system crash and will possibly permit a hacker to achieve full management of the computer. The flaw dates again to version 3.10.1 of the Linux kernel launched in 2013.

    The vulnerability is tracked as CVE-2019-17666. Linux builders proposed a fix that can doubtless be included in the OS kernel within the coming days or weeks. Only after that can the repair make its means into various Linux distributions.

More of this FUD

  • Linux Could Open The Door To Serious Attacks Over Wifi Signals [Ed: This FUD came from a Microsoft employee and was initially spread by a site where Microsoft employed convicted people to attack Linux and FOSS. This is false, It’s FUD. Nobody enables P2P mode. Almost nobody.]

    A potentially severe vulnerability in Linux might make it attainable for nearby units to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher mentioned.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Programming: DevNation, Python, RcppAnnoy and More

  • Plumbing Kubernetes CI/CD with Tekton

    Our first DevNation Live regional event was held in Bengaluru, India in July. This free technology event focused on open source innovations, with sessions presented by elite Red Hat technologists. In this session, Kamesh Sampath introduces Tekton, which is the Kubernetes-native way of defining and running CI/CD. Sampath explores the characteristics of Tekton—cloud-native, decoupled, and declarative—and shows how to combine various building blocks of Tekton to build and deploy a cloud-native application.

  • Coverage 5.0 beta 1

    I want to finish coverage.py 5.0. It has some big changes, so I need people to try it and tell me if it’s ready. Please install coverage.py 5.0 beta 1 and try it in your environment. I especially want to hear from you if you tried the earlier alphas of 5.0. There have been some changes in the SQLite database that were needed to make measurement efficient enough for large test suites, but that hinder ad-hoc querying.

  • How to get current date and time in Python?

    In this article, you will learn to get today's date and current date and time in Python. We will also format the date and time in different formats using strftime() method. There are a number of ways you can take to get the current date. We will use the date class of the datetime module to accomplish this task.

  • RcppAnnoy 0.0.14

    A new minor release of RcppAnnoy is now on CRAN, following the previous 0.0.13 release in September. RcppAnnoy is the Rcpp-based R integration of the nifty Annoy library by Erik Bernhardsson. Annoy is a small and lightweight C++ template header library for very fast approximate nearest neighbours—originally developed to drive the famous Spotify music discovery algorithm. This release once again allows compilation on older compilers. The 0.0.13 release in September brought very efficient 512-bit AVX instruction to accelerate computations. However, this could not be compiled on older machines so we caught up once more with upstream to update to conditional code which will fall back to either 128-bit AVX or no AVX, ensuring buildability “everywhere”.

  • The Royal Mint eyes fresh IT talent to power digital drive

    The Royal Mint has been manufacturing coins for 1,100 years, originally from the Tower of London and, since 1967, from its current site in South Wales. Today, it is the world’s largest export mint, printing 3.3 billion coins and blanks a year, and now is looking to expand its digital reach to serve retail customers online.

  • Google plans to give slow websites a new badge of shame in Chrome

    A new badge could appear in the future that’s designed to highlight sites that are “authored in a way that makes them slow generally.” Google will look at historical load latencies to figure out which sites are guilty of slow load times and flag them, and the Chrome team is also exploring identifying sites that will load slowly based on device hardware or network connectivity.

  • Moving towards a faster web

    In the future, Chrome may identify sites that typically load fast or slow for users with clear badging. This may take a number of forms and we plan to experiment with different options, to determine which provides the most value to our users.

    Badging is intended to identify when sites are authored in a way that makes them slow generally, looking at historical load latencies. Further along, we may expand this to include identifying when a page is likely to be slow for a user based on their device and network conditions.

  • The Maturing of QUIC

    QUIC continues to evolve through a collaborative and iterative process at the IETF — of adding features, implementing them, evaluating them, reworking or discarding them because they don’t stand up to continued scrutiny, and refining them. And in doing so, QUIC has matured in more ways than we imagined, yielding a protocol that is remarkably different and substantially better than it was in the beginning. So, keeping your arms and legs inside the ride at all times, let us take you on this journey of how QUIC has gone from an early experiment to a standard poised to modernize the [Internet].

  • HEADS UP: ntpd changing [in OpenBSD]

    Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove -s and -S from getopt, and starting with those options will fail.

today's howtos

"Wireshark For The Terminal" Termshark 2.0 Adds Stream Reassembly, Piped Input And Dark Mode

Termshark, a Wireshark-like terminal interface for TShark written in Go, was updated to version 2.0.0. This release includes support for dark mode, piped input, and stream reassembly, as well as performance optimizations that make the tool faster and more responsive. Read more

Red Hat Leftovers

  • GitHub report surprises, serverless hotness, and more industry trends

    Now, let's discuss how developers can use Quarkus to bring Java into serverless, a place where previously, it was unable to go. Quarkus introduces a comprehensive and seamless approach to generating an operating system specific (aka native) executable from your Java code, as you do with languages like Go and C/C++. Environments such as event-driven and serverless, where you need to start a service to react to an event, require a low time-to-first-response, and traditional Java stacks simply cannot provide this. Knative enables developers to run cloud-native applications as serverless containers in seconds and the containers will go down to zero on demand. In addition to compiling Java to Knative, Quarkus aims to improve developer productivity. Quarkus works out of the box with popular Java standards, frameworks and libraries like Eclipse MicroProfile, Apache Kafka, RESTEasy, Hibernate, Spring, and many more. Developers familiar with these will feel at home with Quarkus, which should streamline code for the majority of common use cases while providing the flexibility to cover others that come up.

  • When Quarkus Meets Knative Serverless Workloads

    Daniel Oh is a principal technical product marketing manager at Red Hat and works CNCF ambassador as well. He's well recognized in cloud-native application development, senior DevOps practices in many open source projects and international conferences.

  • Making things Go: Command Line Heroes draws infrastructure

    Most of our episodes feature languages that have clear arcs. "The Infrastructure Effect" was different. By all accounts, COBOL is a language heading the way of Latin. There are only a few specialists who are proficient COBOL coders. But it’s still vital to many long-lasting institutions that affect millions: the banking industry, the IRS, and manufacturing. And the world of tech infrastructure is moving on—to Go. Where does that leave COBOL in the next few years? And how do you tease all of that in an image? We had to decide what visual themes could we use to depict each language—and then, how to combine them into a single, coherent frame. COBOL and Go have a similar function, so we wanted to make sure each language had clear, distinct imagery. We decided to rely on some of their real-world applications: the bank and subways for COBOL, and the cloud-based applications for Go.

  • Using the Red Hat OpenShift tuned Operator for Elasticsearch

    I recently assisted a client to deploy Elastic Cloud on Kubernetes (ECK) on Red Hat OpenShift 4.x. They had run into an issue where Elasticsearch would throw an error similar to: Max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144] According to the official documentation, Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts are likely to be too low, which may result in out of memory exceptions. Usually, administrators would just increase the limits by running: sysctl -w vm.max_map_count=262144 However, OpenShift uses Red Hat CoreOS for its worker nodes and, because it is an automatically updating, minimal operating system for running containerized workloads, you shouldn’t manually log on to worker nodes and make changes. This approach is unscalable and results in a worker node becoming tainted. Instead, OpenShift provides an elegant and scalable method to achieve the same via its Node Tuning Operator.

  • bcc-tools brings dynamic kernel tracing to Red Hat Enterprise Linux 8.1

    In Red Hat Enterprise Linux 8.1, Red Hat ships a set of fully supported on x86_64 dynamic kernel tracing tools, called bcc-tools, that make use of a kernel technology called extended Berkeley Packet Filter (eBPF). With these tools, you can quickly gain insight into certain aspects of system performance that would have previously required more time and effort from the system and operator. The eBPF technology allows dynamic kernel tracing without requiring kernel modules (like systemtap) or rebooting of the kernel (as with debug kernels). eBPF accomplishes this while maintaining minimal overhead for each trace point, making these tools an ideal way to instrument running kernels in production.

  • What open communities teach us about empowering customers

    When it comes to digital transformation, businesses seem to be on the right track improving their customers' experiences through the use of technologies. Today, so much digital transformation literature describes the benefits of "delivering new value to customers" or "delivering value to customers in new ways."