Are you running Linux servers? Do you rely on sudo for managing user privileges? If so, you need to read this urgent security alert! Two critical vulnerabilities have been discovered in sudo, potentially allowing attackers to gain root access to your systems. These bugs are serious, impacting a wide range of sudo versions.
Table of Contents
What is Sudo?
Sudo (superuser do) is a vital program on Unix-like operating systems, like Linux. It allows a permitted user to execute commands as another user, typically the root user, following a set of security policies defined in the sudoers file.
It's a key tool for managing privileges and enhancing security in multi-user environments, providing granularity in privilege granting and auditing logs.
The Chroot Option Vulnerability (CVE-2025-32463)
This vulnerability affects sudo versions 1.9.14 to 1.9.17 inclusive. The sudo -R (--chroot) option is designed to let users run commands within a user-selected root directory, if allowed by the sudoers file.
How Attackers Exploit It
A change introduced in sudo 1.9.14 had an unintended side effect. An attacker can trick sudo into loading an arbitrary shared library. This is done by creating a malicious /etc/nsswitch.conf file inside their chosen root directory.
The result? The attacker can run arbitrary commands as root, even if they are not specifically listed in the sudoers file to do so.
This means if your system supports /etc/nsswitch.conf, you are at risk. This critical bug was fixed in sudo 1.9.17p1.
The chroot feature has also been marked as deprecated and will be removed in future releases because it's prone to errors.
The Host Option Vulnerability (CVE-2025-32462)
This second critical flaw impacts an even broader range of sudo versions: 1.8.8 to 1.9.17 inclusive. The sudo -h (--host) option is meant to be used only with the list option (-l or --list) to check user privileges on a different host.
How Attackers Exploit It
Due to a bug, the -h option was not properly restricted. It could be used when running a command via sudo or editing a file with sudoedit. Effectively, this bug makes the hostname part of a sudoers rule irrelevant.
Consider this example: if a sudoers rule states sk ostechnix = ALL, user sk should only run commands as root on the host named ostechnix.
However, with this vulnerability, sk could run sudo -h ostechnix id on any host and gain root privileges. While the user still needs to be listed in the sudoers file, they no longer need an entry specifically for the current host.
This vulnerability particularly affects organisations that distribute a common sudoers file to multiple machines, or those using LDAP-based sudoers (including SSSD). Like the chroot bug, this issue was also fixed in sudo 1.9.17p1.
The Fix: Update Your Sudo Now!
Both vulnerabilities were reported and analysed by Rich Mirch from Stratascale Cyber Research Unit (CRU). Stratascale has published advisories on these issues.
The most important step you can take is to update your sudo package to version 1.9.17p1 or newer immediately.
- On systems like Ubuntu, automatic security updates are often enabled by default via
unattended-upgrades. These should include these critical fixes. However, updates might be staggered. It's always best to manually verify your sudo version. - For Debian users,
sudois not preinstalled by default if you set a root password during installation. If you didn't set a root password,sudois installed. Debian also offersunattended-upgradesfor security fixes. The fixed version for Debian Bookworm (Debian 12) is 1.9.13p3-1+deb12u2.
Beyond the Update: General Security Practices
- Minimise Attack Surface: Installing packages you don't truly need can increase your system's attack surface. While
sudois often highly beneficial, especially in multi-user setups, consider if it's strictly necessary for single-user systems where directrootlogin might suffice for certain use cases. - Run Services as Non-Root Users: Always ensure your web servers and other services run as dedicated, unprivileged users, not as root. This limits potential damage if a service is compromised.
- Consider Alternatives: For simpler needs, doas (from OpenBSD) is often cited as a lightweight alternative to
sudo.
Don't delay! Check your sudo version today and ensure your systems are protected from these critical privilege escalation vulnerabilities. Stay safe, stay updated!
For more details, check the following links:
