Welcome to WebmasterWorld Guest from 3.81.29.226

Forum Moderators: bakedjake

Featured Home Page Discussion

Linux Vulnerability Sudo Command, Patch Now

     
11:34 am on Oct 15, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26456
votes: 1076


There's a security vulnerability in Linux Sudo command and the developers have patched it. Update now to v1.8.28 or later where the bug is fixed.

The quirk revolved around sudo's treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalent 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The user IDs in question don't exist in the password database, either, so the command won't require a password to use.


[engadget.com...]

[sudo.ws...]
11:54 am on Oct 15, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:3022
votes: 214


This is only a problem if you use sudo to give people restricted access. If you use sudo to give users root it changes nothing.
3:08 am on Oct 16, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ogletree is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 14, 2003
posts: 4320
votes: 42


My server guy said that Cent OS 6 does not have access to the new version of SU, but said that I have nothing to worry about since we don't use it that way.
2:16 pm on Oct 17, 2019 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:June 28, 2018
posts: 382
votes: 215


My server guy said that Cent OS 6 does not have access to the new version of SU, but said that I have nothing to worry about since we don't use it that way.


I presume he means that the current version provided by the repos set to be used by yum does not contain the new version - but that wouldn't stop him from setting up alternative repos or installing/compiling from source. Ive not tried this though and my instinct says there is a possibility that could get tricky depending on what other binaries might depend on su.

Im guessing there will be an update quite quick though for something that serious
4:47 pm on Oct 17, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ogletree is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 14, 2003
posts: 4320
votes: 42


Since we are not using SU in such a way that this would affect us I'm not worried about it.
5:17 pm on Oct 17, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26456
votes: 1076


Even if you don't use it now it's worth updating if you have it.
5:27 pm on Oct 17, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Aug 30, 2019
posts:145
votes: 28


Hello-

The infamous negative numbers fail.

nb: I have the right to be sarcastic, because, I made the same mistake in my a PHP script once :)
9:53 am on Oct 18, 2019 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:3022
votes: 214


su? This is about sudo, not su. They are different things and on all distros I know. On Centos su is provided by the util-linux package while sudo is provided by the sudo package.

Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier.


Essentially you let people run a command as any user except those specifically listed, and then this lets user get around restrictions like "run as any user but root". Not common - sudo is generally used to let people run commands as root. No problem with that (because they have root access anyway), and no problem with run specified commands as only specified users (because then you never specify ALL). The latter is much better than "all but exceptions" because it does not increase access when you add new users.

So, you will probably get an update soon, and its a serious but obscure issue rather than a serious and common one.
11:32 am on Oct 22, 2019 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:July 23, 2004
posts:603
votes: 105


I always keep an eye out for stuff like this when it comes down the line ... I update server side and locally as a rule because it's all Linux on both