Feb 10 · 3 min read
By: Emily Nardone
News broke this week that Linux (and macOS) has been hit with a serious bug in their sudo utility. This bug was discovered by an Apple Security Expert, Joe Vennix, who also discovered a similar buffer overflow attack sudo back in October 2019. This bug allowed unprivileged users to easily obtain root privileges on vulnerable systems. This issue is a big threat for Linux systems, although Linux systems are historically very secure, there are very few loopholes when it comes to infiltrating the systems.
Wondering if this will affect your systems? If you are still running sudo v1.8.30 or older, you should update immediately since this means your systems are vulnerable. Fortunately, most versions of Linux don’t enable this option and thus aren’t vulnerable – server distros in particular probably are not at risk. Two distros that do enable this by default include mint and elementaryOS (often run on desktops) so if you are running one of those, you should pay particular attention to your sudo version.
In generation, if you have the most up-to-date version of sudo, you are most likely not at any risk since Linux and macOS have both already patched the bug.
Insight into the sudo command
The sudo command is a tool that provides certain user permissions above their normal levels. It originally stood for “superuser do” since the sudo command allows you to run programs with the privileges as another user, who is essentially referred to as the “superuser.” This includes root access, meaning with this ability, a piece of malware or a user without the correct permissions could gain root access and infiltrate the system.
The Dangers of Unauthorized Root Access
In short, an unauthorized user with root access can infiltrate your entire device and essentially take advantage of anything you have available on your laptop. A user gaining root access is a high-risk event, which is why in Linux systems, admins tend to restrict root access and use sudo instead. The sudo command grants root-level permissions to execute certain commands without knowing the password, preventing an unauthorized process from infiltrating the systems and taking over access completely.
The sudo approach does not wipe out all potential threats. Admins with sudo access have the ability to take advantage of root-level permissions to carry out unrelated tasks that are difficult for security teams to detect. Sudo is essential to admins so they are able to do their jobs, but they have to maintain a high level of trust so they are able to do their jobs.
How the new sudo vulnerability works: buffer overflow
There’s a feature in the sudo command (which is not enabled by default) called pwfeedback. When this feature is enabled, it shows a visual cue (an “*”) to help the user input their password prior to sudo evaluating policies and executing the command..
Matching Defaults entries for phil on linux-build:
insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail
User phil may run the following commands on linux-build:
(ALL : ALL) ALL The vulnerability discovered in CVE-2019-18634 allows privilege escalation and bypasses policies through a buffer overflow that occurs when large enough input is passed to the sudo command. $ perl -e 'print(("A" x 100 . chr(0)) x 50)' | sudo -S -k id Password: Segmentation fault (core dumped)
By overflowing the input, the sudo command will fault and unexpectedly revert to the root user potentially escalating user privileges beyond the policies defined in the sudoers file.
Keep sudo safe with Cmd
So here’s what you need to know to make sure you have the most up-to-date sudo. On Linux systems, make sure you are running sudo v1.8.31 or later. For Apple operating systems you’ll need macOS High Sierra 10.13.6, Mojave 10.14.6, or Catalina 10.15.2.
One of the big benefits of using Cmd to protect your Linux systems is that even if an unauthorized individual does acquire root access, you can still create guardrails that restrict their behavior and visibility. For example, imagine requiring 3rd-party approval for any access to a customer database – even as a root user. Cmd can do this, requiring users of any privilege level to get authorized over Slack or another popular communications system.
Cmd also would let you monitor the sudoers file and generate an alert any time it gets changed. An attacker could use another exploit to gain a limited form of root access – just enough to write to the sudoers file – at which point they could enable pwfeedback and then exploit it again to open a full root shell. You have to admin – it’d be nice to be alerted if any of those steps happened.
Interested in learning more about our product? Request a demo