The Complete Magazine on Open Source

Linux distros patch highly severe Sudo vulnerability

11.38K 5

Sudo vulnerability in Linux

Red Hat, Debian and several other Linux distributions have released the patch for a Sudo command vulnerability. The high-severity vulnerability could let a local attacker gain root privileges.

The issue, internally known as CVE-2017-1000367, was reported by security researchers from Qualys a few days back. The vulnerability was letting attackers run bash commands to overwrite any stored files on the system. Furthermore, the attacker could gain root-level privileges to overwrite root-owned content.

“We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux: this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr),” Qualys technically highlights the issue.

Impacts SELinux

The issue is notably affecting only those distros where SELinux is enabled, and the Sudo command was built with SELinux support.

The creator of Sudo app, Todd C. Miller, was prompt to release the patch fixing this vulnerability. All the Sudo versions between 1.8.6p7 and 1.8.20 are affected. Also, many popularly used Linux distros bring Sudo as a bundled default app.

“Sudo 1.8.6p7 through 1.8.20p1 inclusive. The fix present in Sudo 1.8.20p1 was incomplete as it did not address the problem of a command with a newline in the name,” said Miller, explaining the reach of the vulnerability.

Red Hat, SUSE, Ubuntu and Debian have released an urgent security update to address the vulnerability.

Red Hat has released the fixes for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux Server. Debian, on the other hand, has published the release for Wheezy, Jessie and Sid while SUSE has published a release for all its releases.

  • Pingback: 多个 Linux 发行版发布补丁修复高危的 Sudo 漏洞 | News Pod()

  • asdf

    sudo is not an “app”.

    • Jonato

      It is indeed an application, or app for short.

      • Glen Duncan

        Applications are monolithic, and have a GUI. sudo (NOT capitalized) is a command line program. There is a distinct difference. Wikipedia defines an applications as: “a computer program designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user. Examples of an application include a word processor, a spreadsheet, an accounting application, a web browser, a media player, an aeronautical flight simulator, a console game or a photo editor.”

        You will note that NONE of these examples follow the *NIX principal of “doing one thing” like command line programs do. If you don’t understand the difference still, you shouldn’t be correcting those that do.

  • Pingback: Links 18/6/2017: New Debian Release, Catchup With a Lot of News | Techrights()