Sudo is a very popular, very simple sysadmin application for the Unix system. Allows users to change identity to perform a single command. Usually, but not always, you can execute a command as root, system administrator or user. Sudo is easy to abuse, but it is so useful until it is not. A recently discovered sudo bug once again describes why you should be on your guard for this command.

In this latest vulnerability, CVE-2019-18634, Joe Information Security researcher Joe Vennix discovered that if the “pwfeedback” option is enabled in your sudoers configuration file, any user, even someone who cannot perform sudo or is listed in the sudoers- file, a system can crack.

Also: The different shades of sudo

Ironically, pwfeedback was meant to make life a little safer for users. When enabled, asterisks (*) are printed to the screen when you enter your sudo password.

Unfortunately, it also made it easy to cause a stack-based buffer overflow. Then, as sudo developer Todd C. Miller warns, “Because the attacker has complete control over the data used to overflow the buffer, there is a high probability of exploitability.”

Whoops.

The good news is that pwfeedback is not enabled by default. The bad news is that sysadmins often enable this. Even worse, it is enabled by default in at least two popular Linux distributions, Elementary OS and Linux Mint.

Fortunately, the solution is already present on most operating systems. The bug is fixed in sudo 1.8.31 and later. It is now in the most recent security updates for all major Linux distributions and macOS. So you have to patch it right away.

If there is no patch available for your operating system, you can resolve the problem by disabling pwfeedback. First check if you are vulnerable by executing the assignment:

sudo -l

If you see pwfeedback in the “Matching Defaults entries” output, you are vulnerable. To fix it, edit the sudoers file, usually located in / etc / sudoers, with the visudo editor and edit:

Standard pw feedback

To:

Standard settings! Pw feedback

And you will be safe as houses.

So what are you waiting for? Check your system and patch or correct it if necessary before Joe Random Luser decides to play games on your server.

Related stories: