Decade-Old Sudo Flaw Discovered

Jan 28, 2021

A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.

Sudo is the venerable tool that allows standard users to run admin tasks on Linux distributions. Without sudo, users would have to log into the system as the root user (or change to the root user with the su command), in order to run admin commands. Seeing as how that is looked upon as a security risk, sudo has become a required tool for many Linux admins and users.

However, it has been discovered (by researchers at Qualys) that, for nearly a decade, sudo contained a heap-based buffer overflow vulnerability. This bug could allow any unprivileged user to gain root privileges using the default sudo configuration.

The vulnerability was introduced to sudo in July 2011, by way of commit 8255ed69 and effects the following versions of sudo:

  • Legacy versions from 1.8.2 to 1.8.31p2
  • Stable versions from 1.9.0 to 1.9.5p1

Qualys researchers have been able to verify the vulnerability and even develop multiple exploit variants to obtain full root privileges on Ubuntu 20.04, Debian 1, and Fedora 33.

A new version of sudo (v 1.9.5p2) has been created to patch the vulnerability. It is imperative that all Linux admins and users update their systems (servers and/or desktops) immediately, so their version of sudo is patched.

For more information on this vulnerability, read the official CVE record.

Related content

  • News

    In the news: Elementary OS Offers Multi-Touch Gesture Support; Sudo Patch for Decade-Old Flaw; Slimbook Titan: Another New Linux Laptop; Golang Worm Targeting Linux Servers; Fileless Malware Attacks Linux Systems; Fileless Malware Attacks Linux Systems

  • Sudo Vulnerability

    A vulnerability in the sudo package gives sudo users more powers than they deserve.

  • New Linux Vulnerability Enables a Privilege Escalation

    Looney Tunables is a new Linux vulnerability that has been discovered in the GNU C library that can lead to privilege escalation.

  • News

    In the news: Zorin OS 16 Educational Spin Now Available; System76 Releases AMD-Powered Kudu Laptop; Ubuntu Budgie Sets Its Sights on Gamers: Linux Mint Edge Is Ready for the Newest Hardware; Linux Kernel 5.17 Code Merge Window Is Closed; and Another Serious Flaw Found in All Major Linux Distributions.

  • Critical Escalation Vulnerability Found in the Linux Kernel

    A new local privilege escalation vulnerability has been discovered in the Linux kernel and users are encouraged to upgrade/patch immediately.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More