Sudo broken, sudo fixed
Summary: An essential Linux, Unix, and Mac OS X administration tool had a major security problem. It's been fixed, and now you need to patch your system ASAP.
As this classic xkcd cartoon reminds us, sudo is very powerful indeed
Linux and Mac OS X users and system administrators, and long before them, Unix users and sysadmins, have used sudo as an essential computer management tool. With it, users are given the power to make essential, but sometimes dangerous, changes to their systems. Recently a fundamental security bug in sudo was discovered, In some network this security hole could allow a cracker unlimited control of Linux, Mac OS X, and Unix systems. Fortunately, the bug has now been fixed.
Sudo, which system operators (sysops) use all the time, has been around for almost as long as Unix has been. People often think sudo stands for "do as superuser." That's because it's most commonly used by trusted ordinary users to run a single command as if they were the "superuser" aka the root user or system administrator. Actually, it stands for "substitute user identity and do." It's commonly used to let an ordinary users do extraordinary things like call the shots with your Web server or database with the powers of the appropriate management account.
The idea in all cases is to keep people from, during their ordinary run of the mill work, mistakebly make fundamental changes to the system or core services. Of course, any problem with sudo can easily lead to an escalation-of-privilege exploit. If you can break into sudo there's really very little you can't do to a system.
Of course, as powerful as sudo it is, it's much better than simply allowing users to use the root account all the time for all their work. That way leads to almost certain disaster.
For years, decades, sudo has been used with little trouble. Recently, however, it was found that on a networked system that uses both IPv4 and IPv6-which is becoming increasingly common-it was found that if you also used a sudo configuration file, sudoers, on a network that used LDAP (Lightweight Directory Access Protocol) to manage sudo accounts sudo accounts weren't being properly regulated. What was happening was that, if sudo use was managed by their network addresses and network masks, a user with an invalid IPv4 Internet address would still be passed through to the IPv6 check... which would then approve them automatically. Whoops!
The problem, which existed in sudo versions 1.6.9p3 through 1.8.4p4, has since been fixed. System administrators should upgrade to 1.8.4p5 or higher as soon as possible.
To exploit the bug, a would-be cracker needs to be in the sudoers file (or sudoers LDAP data) and be granted access to commands on hosts on one or more IPv4 networks. If sudoers doesn't include IP networks in the host specification portion of the sudoers rules, the bug has no effect. So, if for some reason you can't fix the problem immediately, you can still block it by removing IP network addresses from your sudoers rules host specification settings.
To my knowledge, no one has exploited this bug yet. Still, any bug that has the potential to give untrusted users absolute power over a system has to be taken seriously and eradicated as soon as possible.
The xkcd cartoon is used under the xkcd License.
Related Stories:
Kaspersky denied iOS app: Apple buries its head in the security sand
Apple releases QuickTime 7.7.2 for Windows, fixes 17 flaws
Avira Antivirus update cripples millions of Windows PCs
Windows malware: are you safer today than you were 10 years ago?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
The myth of open source code reliability
LOL
Remember the "OH MY GOD!!!" moment of OpenSSL and Debian? Quickly and efficiently fixed.
Open source FTW.
Five year old vulnerability here
Hey, chunkeemonkee...
My apologies for not being able to come up with anything newer than five years, as far as notorious vulnerabilities are concerned. Such is the nature of FOSS (sigh)
@thebaldguy No Windows users has made that claim
The Debian goof is just that, a goof. It does not prove nor disprove that FOSS is any more of less secure than propietary software.
Likewise, this five year old vulnerability in sudo underscores the fact that "many eyes" do not make a software package safer. True quality and strictured code evaluation does.
No Windows users, facebook?
You're saying this vulnerability has been known about for five years? Pass the pipe, bro.
(edit) I mistakenly aimed this at chunkee, my mistake.
sudo 1.6.9p3 was released in 2007, making this 5 years old
I'll give you a very minor point, fat ape
Nobody sat on the problem for five years, if that was the point you were trying to make.
Of course someone sat on the sudo problem for five years
You cannot have your cake and eat it too. You cannot state that XP is insecure because you personally do not see the source code and then state that FOSS is more secure because many eyes can see it.
Of course...
the myth that code is "safe" because "many eyes can see it."
And I have still yet to read anything which disproves that.
People stake their reputations on open source being "safer"
They then, erroneously, conclude that because the source code is available on an FTP site, that it is somehow more likely to be safer without any evidence of that. That, my friend, is what we call making up your own facts.
They dismiss improvements in quality by Microsoft
The evidence is right in front of you, just look at how insecure windows is, is that what you call quality software?
Do you know what NSA_KEY is? do you know if it's a backdoor? why don't you or someone else look and see? oh that's right you can't because it's closed source code.
Go to Secunia and see how many unpatched vulnerabilities windows 7 has, microsoft obviously doesn't want to patch them so why don't you or some one else patch them for microsoft? oh that's right you can't because it's closed source code.
These aren't made up facts my firend.
You answered your own questions
Go to Secunia and see how many unpatched vulnerabilities Linux has, the linux community obviously doesn't want to patch them so why don't you or some one else patch them for the community?
oh that's right no one is getting around to it, despite the fact that the source code is out there. That is why we have five year old vulnerabilities like this sudo one.
These aren't made up facts my firend.
Yes, I, in fact, do know what the _NSAKEY
And how did I answer my own questions when they were directed at you? do I now speak on your behalf?
"You are basically claiming that Microsoft is insecure because you, personally, do not see the source code"
No I'm claiming windows is less secure because it is, just look at all the windows malware out there, not to mention all the remote vulnerabilities constantly getting patched, its like swiss cheese.
"Go to Secunia and see how many unpatched vulnerabilities Linux has"
I have and it has none, you should really check your facts before posting your FUD, but seeing as you don't want to visit Secunia I guess I will have to post the facts myself... lets try Ubuntu 10.04 and 12.04, both have 0 unpatched vulnerabilities.
And now windows 7, 5 unpatched vulnerabilities, the most severe is rated as Highly critical (from remote) and the release date for that vulnerability was 2010-10-29 and it's still unpatched.
Those weren't made up facts my friend, it must be hard work being a microsoft shill these days, tell them you need a pay rise as it's too hard trying to defend their sub par OS.
...transparent
This one servers as good example - I don't think it was an exploit that is easy to spot nor likely to be found by developers before the crackers.
Even when exploit is found by being used - which is something rare but certainly happening - the fixes for FOSS come out fast as tire change in formula race.
@guzz46
Leave Loverock alone :( He has no non-made-up facts, so stop being so mean!
"Those weren't made up facts my friend, it must be hard work being a microsoft shill these days, tell them you need a pay rise as it's too hard trying to defend their sub par OS. "
It's not that hard, not with some nice datura weed.
This is just a normal procedure
This is NOT however like in MS Windows, bug found, bug used to hijack millions of PCs, bug finally fixed, millions still hijacked.
Umm no
In this case, there are no known reports of this bug having been exploited in the wild. My Linux box alerted my several days ago to update this bug.
You mean exactly like the Apache botnet?