Decade-Old Sudo Flaw Discovered

Jan 28, 2021

A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.

Sudo is the venerable tool that allows standard users to run admin tasks on Linux distributions. Without sudo, users would have to log into the system as the root user (or change to the root user with the su command), in order to run admin commands. Seeing as how that is looked upon as a security risk, sudo has become a required tool for many Linux admins and users.

However, it has been discovered (by researchers at Qualys) that, for nearly a decade, sudo contained a heap-based buffer overflow vulnerability. This bug could allow any unprivileged user to gain root privileges using the default sudo configuration.

The vulnerability was introduced to sudo in July 2011, by way of commit 8255ed69 and effects the following versions of sudo:

  • Legacy versions from 1.8.2 to 1.8.31p2
  • Stable versions from 1.9.0 to 1.9.5p1

Qualys researchers have been able to verify the vulnerability and even develop multiple exploit variants to obtain full root privileges on Ubuntu 20.04, Debian 1, and Fedora 33.

A new version of sudo (v 1.9.5p2) has been created to patch the vulnerability. It is imperative that all Linux admins and users update their systems (servers and/or desktops) immediately, so their version of sudo is patched.

For more information on this vulnerability, read the official CVE record.

Related content

  • News

    In the news: Elementary OS Offers Multi-Touch Gesture Support; Sudo Patch for Decade-Old Flaw; Slimbook Titan: Another New Linux Laptop; Golang Worm Targeting Linux Servers; Fileless Malware Attacks Linux Systems; Fileless Malware Attacks Linux Systems

    more »
  • Sudo Vulnerability

    A vulnerability in the sudo package gives sudo users more powers than they deserve.

    more »
  • News

    In the news: Zorin OS 16 Educational Spin Now Available; System76 Releases AMD-Powered Kudu Laptop; Ubuntu Budgie Sets Its Sights on Gamers: Linux Mint Edge Is Ready for the Newest Hardware; Linux Kernel 5.17 Code Merge Window Is Closed; and Another Serious Flaw Found in All Major Linux Distributions.

    more »
  • Critical Escalation Vulnerability Found in the Linux Kernel

    A new local privilege escalation vulnerability has been discovered in the Linux kernel and users are encouraged to upgrade/patch immediately.

    more »
  • NEWS

    In the news: LibreOffice 6.4 Released; Official Evernote Client Coming to Linux; Thanks to Linux, Google and Valve are Bringing Steam to Chromebooks; Nine-Year-Old Bug Found and Fixed in Sudo; and Systemd-homed Is Coming to a Linux Distribution Near You.

    more »
comments powered by Disqus

Issue 272/2023

Buy this issue as a PDF

Digital Issue: Price $12.99
(incl. VAT)

Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

News

Tag Cloud

Administration Community Desktop Events Hardware Linux Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source