Nine Year Old Bug Found and Fixed in Sudo

By

A bug that has been lurking in the sudo package for nine years has finally been patched.

Sudo is found in most Linux distributions and is responsible for elevating privileges for users, such that they can perform admin tasks. Recently it was discovered that a buffer-overflow bug had been in hiding for nine years. This bug (CVE-2019-18634, which has existed in sudo versions 1.7.1 through 1.8.25p1) can be triggered when an administrator or a downstream distribution (such as any based on Debian/Ubuntu) enables the pwfeedback option in the /etc/sudoers file. Once pwfeedback is enabled, the vulnerability can be exploited by any user on the system (even those not listed in the sudoers file).

The pwfeedback option is used to hash passwords when you type them (so the irony of this feature being a security vulnerability cannot be missed). 

There are two bits of good news on this front. First and foremost, the vulnerability has been patched. So long as you’ve updated sudo to any version beyond 1.8.25p1, you’re safe. The second bit of news is that, even if you’ve not updated, pwfeedback isn’t enabled by default in most distributions. Issue the command sudo -l to see if pwfeedback is listed among the enabled options. If not, you’re good to go. If you do see pwfeedback in the output of the command, upgrade sudo immediately and consider disabling the option.

02/10/2020
comments powered by Disqus