Sudo broken, sudo fixed

Sudo broken, sudo fixed

Summary: An essential Linux, Unix, and Mac OS X administration tool had a major security problem. It's been fixed, and now you need to patch your system ASAP.

SHARE:

As this classic xkcd cartoon reminds us, sudo is very powerful indeed

As this classic xkcd cartoon reminds us, sudo is very powerful indeed

Linux and Mac OS X users and system administrators, and long before them, Unix users and sysadmins, have used sudo as an essential computer management tool. With it, users are given the power to make essential, but sometimes dangerous, changes to their systems. Recently a fundamental security bug in sudo was discovered, In some network this security hole could allow a cracker unlimited control of Linux, Mac OS X, and Unix systems. Fortunately, the bug has now been fixed.

Sudo, which system operators (sysops) use all the time, has been around for almost as long as Unix has been. People often think sudo stands for "do as superuser." That's because it's most commonly used by trusted ordinary users to run a single command as if they were the "superuser" aka the root user or system administrator. Actually, it stands for "substitute user identity and do." It's commonly used to let an ordinary users do extraordinary things like call the shots with your Web server or database with the powers of the appropriate management account.

The idea in all cases is to keep people from, during their ordinary run of the mill work, mistakebly make fundamental changes to the system or core services. Of course, any problem with sudo can easily lead to an escalation-of-privilege exploit. If you can break into sudo there's really very little you can't do to a system.

Of course, as powerful as sudo it is, it's much better than simply allowing users to use the root account all the time for all their work. That way leads to almost certain disaster.

For years, decades, sudo has been used with little trouble. Recently, however, it was found that on a networked system that uses both IPv4 and IPv6-which is becoming increasingly common-it was found that if you also used a sudo configuration file, sudoers, on a network that used LDAP (Lightweight Directory Access Protocol) to manage sudo accounts sudo accounts weren't being properly regulated. What was happening was that, if sudo use was managed by their network addresses and network masks, a user with an invalid IPv4 Internet address would still be passed through to the IPv6 check... which would then approve them automatically. Whoops!

The problem, which existed in sudo versions 1.6.9p3 through 1.8.4p4, has since been fixed. System administrators should upgrade to 1.8.4p5 or higher as soon as possible.

To exploit the bug, a would-be cracker needs to be in the sudoers file (or sudoers LDAP data) and be granted access to commands on hosts on one or more IPv4 networks. If sudoers doesn't include IP networks in the host specification portion of the sudoers rules, the bug has no effect. So, if for some reason you can't fix the problem immediately, you can still block it by removing IP network addresses from your sudoers rules host specification settings.

To my knowledge, no one has exploited this bug yet. Still, any bug that has the potential to give untrusted users absolute power over a system has to be taken seriously and eradicated as soon as possible.

The xkcd cartoon is used under the xkcd License.

Related Stories:

How to lock down Linux

Kaspersky denied iOS app: Apple buries its head in the security sand

Apple releases QuickTime 7.7.2 for Windows, fixes 17 flaws

Avira Antivirus update cripples millions of Windows PCs

Windows malware: are you safer today than you were 10 years ago?

Topics: Linux, Enterprise Software, Networking, Open Source, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

71 comments
Log in or register to join the discussion
  • The myth of open source code reliability

    This, once again, undescores the myth that code is "safe" because "many eyes can see it." What fixes QA issues is QA - structured, formal QA processes. Without that attention to Quality, access to the code or not is irrelevant.
    Your Non Advocate
    • LOL

      What happened, the LD troll get banned?? Are you his new namesake?

      Remember the "OH MY GOD!!!" moment of OpenSSL and Debian? Quickly and efficiently fixed.

      Open source FTW.
      thebaldguy
      • Five year old vulnerability here

        Is that your definition of timely or quality?
        chunkeemonkee
      • Hey, chunkeemonkee...

        ...the point is that the Windows lovers pointed to the Debian goof as proof that FOSS was not secure, and that pandemonium would soon erupt over the encryption fubar. Instead, a fix went out ASAP, and nothing bad happened.

        My apologies for not being able to come up with anything newer than five years, as far as notorious vulnerabilities are concerned. Such is the nature of FOSS (sigh)
        thebaldguy
      • @thebaldguy No Windows users has made that claim

        The point is that there is a pernicious myth that having source code on an FTP site somehow leads to quality.

        The Debian goof is just that, a goof. It does not prove nor disprove that FOSS is any more of less secure than propietary software.

        Likewise, this five year old vulnerability in sudo underscores the fact that "many eyes" do not make a software package safer. True quality and strictured code evaluation does.
        Your Non Advocate
      • No Windows users, facebook?

        God, you must not read the same FOSS blogs (all plagued by a number of haters of FOSS) that I do.

        You're saying this vulnerability has been known about for five years? Pass the pipe, bro.

        (edit) I mistakenly aimed this at chunkee, my mistake.
        thebaldguy
      • sudo 1.6.9p3 was released in 2007, making this 5 years old

        Basic math @thebaldguy. Maybe you should avoid pipe smoking.
        chunkeemonkee
      • I'll give you a very minor point, fat ape

        However, once the vulnerability was *found*, fixed. They are still uncovering holes in XP that are 12 years old. Fixing them generally takes "a bit" longer.

        Nobody sat on the problem for five years, if that was the point you were trying to make.
        thebaldguy
      • Of course someone sat on the sudo problem for five years

        Remember, the source code has been sitting there on an FTP site for five years for many eyes to see.

        You cannot have your cake and eat it too. You cannot state that XP is insecure because you personally do not see the source code and then state that FOSS is more secure because many eyes can see it.
        Your Non Advocate
    • Of course...

      ...this never EVER happens with proprietary software. That's why MS used to get upset when non-existant (see above) security bugs in Windows were disclosed to the public before MS had a fix for them ("information anarchy" is what MS called it).
      John L. Ries
    • the myth that code is "safe" because "many eyes can see it."

      I haven't heard that one before, I have heard "many eyes make safer" ...notice the word "safer" as opposed to "safe"
      And I have still yet to read anything which disproves that.
      guzz46
      • People stake their reputations on open source being "safer"

        They dismiss improvements in quality by Microsoft, unaware that Microsoft source code is available for review, all APIs are published and the quality programs of Microsoft.

        They then, erroneously, conclude that because the source code is available on an FTP site, that it is somehow more likely to be safer without any evidence of that. That, my friend, is what we call making up your own facts.
        Your Non Advocate
      • They dismiss improvements in quality by Microsoft

        "They then, erroneously, conclude that because the source code is available on an FTP site, that it is somehow more likely to be safer without any evidence of that"

        The evidence is right in front of you, just look at how insecure windows is, is that what you call quality software?

        Do you know what NSA_KEY is? do you know if it's a backdoor? why don't you or someone else look and see? oh that's right you can't because it's closed source code.

        Go to Secunia and see how many unpatched vulnerabilities windows 7 has, microsoft obviously doesn't want to patch them so why don't you or some one else patch them for microsoft? oh that's right you can't because it's closed source code.

        These aren't made up facts my firend.
        guzz46
      • You answered your own questions

        Yes, I, in fact, do know what the _NSAKEY is. In fact, you are shooting yourself in the foot by trying to attribute something discovered when it was unstripped during symbolic debugging as something nefarious. You are basically claiming that Microsoft is insecure because you, personally, do not see the source code, yet cite an example of DLLs being decompiled to the native source. All of Microsofts APIs are public.


        Go to Secunia and see how many unpatched vulnerabilities Linux has, the linux community obviously doesn't want to patch them so why don't you or some one else patch them for the community?

        oh that's right no one is getting around to it, despite the fact that the source code is out there. That is why we have five year old vulnerabilities like this sudo one.

        These aren't made up facts my firend.
        Your Non Advocate
      • Yes, I, in fact, do know what the _NSAKEY

        Oh do you? how do you know by the way? it's closed source code so you must be taking microsoft's word for it (like they would admit it if it was)
        And how did I answer my own questions when they were directed at you? do I now speak on your behalf?

        "You are basically claiming that Microsoft is insecure because you, personally, do not see the source code"

        No I'm claiming windows is less secure because it is, just look at all the windows malware out there, not to mention all the remote vulnerabilities constantly getting patched, its like swiss cheese.

        "Go to Secunia and see how many unpatched vulnerabilities Linux has"

        I have and it has none, you should really check your facts before posting your FUD, but seeing as you don't want to visit Secunia I guess I will have to post the facts myself... lets try Ubuntu 10.04 and 12.04, both have 0 unpatched vulnerabilities.

        And now windows 7, 5 unpatched vulnerabilities, the most severe is rated as Highly critical (from remote) and the release date for that vulnerability was 2010-10-29 and it's still unpatched.

        Those weren't made up facts my friend, it must be hard work being a microsoft shill these days, tell them you need a pay rise as it's too hard trying to defend their sub par OS.
        guzz46
      • ...transparent

        transparent is the word I've heard, not safe or safer - of course it implicates more safety, and that is correct. There is a reason for exploits in FOSS rarely being exploited before they are found by developers and fixed.

        This one servers as good example - I don't think it was an exploit that is easy to spot nor likely to be found by developers before the crackers.
        Even when exploit is found by being used - which is something rare but certainly happening - the fixes for FOSS come out fast as tire change in formula race.
        robsku
      • @guzz46

        @guzz46
        Leave Loverock alone :( He has no non-made-up facts, so stop being so mean!

        "Those weren't made up facts my friend, it must be hard work being a microsoft shill these days, tell them you need a pay rise as it's too hard trying to defend their sub par OS. "

        It's not that hard, not with some nice datura weed.
        robsku
    • This is just a normal procedure

      Bug found, bug fixed.
      This is NOT however like in MS Windows, bug found, bug used to hijack millions of PCs, bug finally fixed, millions still hijacked.
      Mikael_z
    • Umm no

      If this had happened on Windows, it would have been exploited for several months in the wild before anyone found out what was happening. And then MS would finally get around to patching it and it would take months for everyone out there to finally get around to updating.

      In this case, there are no known reports of this bug having been exploited in the wild. My Linux box alerted my several days ago to update this bug.
      KodiacZiller
      • You mean exactly like the Apache botnet?

        one of the largest botnets in history, brought to you by FOSS.
        Your Non Advocate