The flaw was found to be working only on Linux systems that have a non-standard configuration. For those unaware, Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the ‘superuser’ (a special user account used for system administration). In other words, Sudo (su “do”) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. The security vulnerability known as CVE-2019-14287 allows users to circumvent the non-root restriction by simply changing the user ID to -1 or 4294967295 with the ‘sudo’ command. This triggers the vulnerability and gives root access. “When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295,” according to the Sudo vulnerability alert. “This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. “Log entries for commands run this way will list the target user as 4294967295 instead of root.” This happens because a function that converts a user ID to a username mistakes -1 (or invalid equivalent 4294967295) as 0, which happens to be the root user ID. Also, since the user ID specified with the -u option does not exist in the password database, no PAM session modules will run. The bug was found and reported by Joe Vennix of Apple security, which has now been patched in Sudo version 1.8.28. Those who are affected by the bug can check for available updates and patch the exploit on their machine. If you are not getting an update from your distribution of choice are recommended to update Sudo manually to the latest version as soon as it is available.
