Sudo which is one of the most important, powerful and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system has been found to have a vulnerability.
The vulnerability is a sudo security policy bypass issue that lets a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.
Sudo which stands for “superuser do,” is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments—most often, for running commands as the root user.
On most of the Linux distributions, ALL keyword in RunAs specification in /etc/sudoers file, allows all users in the admin or sudo groups to run any command as any valid user on the system by default.
Since privilege separation is one of the fundamental security paradigms in Linux, administrators can configure a sudoers file to define which users can run what commands as to which users.
Even if a user has been restricted to run a specific command as root, the vulnerability would let the user to bypass this security policy and take complete control over the system.
According to the Sudo developers, it can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification,
The vulnerability which has been dubbed as CVE-2019-14287 was discovered by Joe Vennix of Apple Information Security. This is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password.
This flaw can be exploited by an attacker to run commands as root just by specifying the user ID “-1” or “4294967295.” This is because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.
Besides, as the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.
The vulnerability impacts all Sudo versions prior to the latest released version 1.8.28, and would soon be rolled out as an update by Linux distributions to their users.
All Linux users are highly recommended to update the sudo package manually to the latest version as soon as it is available.