Ubuntu Releases Patch for Major ‘sudo’ Security Exploit

[steven36]

Newly revealed exploit gave anyone root access on Linux systems

 

 

Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.

 

A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a sudo apt upgrade to install it.

 

But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.

 

The exploit, described by TheHackerNews, who also first reported the flaw, is thus:

 

“The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.”

 

In other words: anyone could gain root access to a Linux system just by specifying the user ID “-1” .

 

Now, I am not a security expert by any stretch — I use automatic login on everything — but I have to say this specific flaw is rather novel in that it’s so…basic.

 

Like many, I’m used to headline exploits being obtuse and complicated, requiring a highly targeted and unconventional attack vector or unique deployment method.

 

But this one? It could, in theory, be triggered on an affected system — which in this instance is almost anything running Linux — by a single command…

 

Although the implications of the issue is mildly terrifying, it is mercifully redundant now that a security patch is available.

 

So if you haven’t installed it, stop reading and go do it!

 

Source