Sudo, a utility found in dozens of Unix-like operating systems, has received a patch for a potentially serious bug that allows unprivileged users to easily obtain unfettered root privileges on vulnerable systems.
The vulnerability, tracked as
CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren't listed in sudoers, a file that contains rules that users must follow when using the sudo command. Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It lets administrators allow specific individuals or groups to run commands or applications with higher-than-usual system privileges. Both Apple’s macOS and Debian distributions of Linux received updates last week. People using other OSes should check their configurations and version numbers to ensure they’re not vulnerable. “Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled,” an
advisory published by sudo developers said.
