Serious flaw that lurked in sudo for 9 years hands over root privileges

14383 shaares
5331 private links

14383 shaares · 5331 private links

Filters

Links per page

20 50 100

Serious flaw that lurked in sudo for 9 years hands over root privileges – Ars Technica

Flaw affecting selected sudo versions is easy for unprivileged users to exploit. //

The sudo version history shows that the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical. Those who can’t update right away can prevent exploits by making sure pwfeedback is disabled. To check its status, run:

sudo -l

If pwfeedback is listed in the outputted “Matching Defaults entries,” the sudoers configuration is vulnerable on affected sudo versions. The following is an example of output that indicates a vulnerable sudo configuration:

$ sudo -l
Matching Defaults entries for millert on linux-build:
insults, pwfeedback,

Disabling pwfeedback involves using the visudo command to edit the sudoers file and adding an exclamation point so that

Defaults pwfeedback
Becomes:

Defaults !pwfeedback

infosec · linux

February 7, 2020 at 11:33:32 AM UTC · permalink

https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/

Filters

Links per page

20 50 100