Sudo Vulnerabilities on Linux and Mac OS x

Recently, there is news related to Sudo Vulnerabilities that affected Mac OS x and Linux Operating System. But those are using Mac OS and Linux don’t have been scared because the patch has been released.

SUDO is a command that will give privileges into the root directory (it more like administrator in Windows Operating System). This vulnerability has been discovered by Joe Vennix, Apple Security Expert can be exploited by allowing the attacker to gain unauthorized root access to the system.

This vulnerability that been listed as CVE-2019-18634 where the memory handling would be the cause of the vulnerability. This happen when ‘pwdfeedback’ option have been enabled within the sudoers files.

Besides that, the bug also vulnerable to the Buffer Overflow Attack method in a specific older version of Sudo. The sudo version affected by Buffer Overflow from 1.7.1 to 1.8.25p1.

For those who wanted to look which sudo version that they are using, they can use the command sudo -v where the result of that command will appears something like below:

For Sudo version from 1.8.26 until 1.8.30 will not be affected because of EOF handling that implemented during the introduction of sudo 1.8.26.

An Example of Attack Scenario that been shared by Joe Vennix as follows:

The user can look at the sudoers in which the security policy configuration file will look something like below. From the line below, it shows that demo can run any program using any user except root privileges.

myhost demo = (ALL, !root) /usr/bin/vi 

As a result, attacker can execute the following command with root privileges

sudo -u#-1 id -u

or

sudo -u#123456789 id -u 

As been mentioned at the beginning of the post, Apple has released the patch of this vulnerability on January 28 and it already on Mac OS x such as follows:

  1. High Sierra 10.13.6,2.
  2. Mojave 10.14.6
  3. Catalina 10.15.2

However, for those who are using Linux Operating System like Centos 7.7 where they do have the affected Sudo version so the user is advised to set the Defaults !pwfeedback in their sudoers located at /etc/sudoers/.

The action is only required if the user is determined to use the affected sudo version in their machine

Reference: CVE-2019-18634,Linux and macOS PCs hit by serious Sudo vulnerability

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *