Nasty Linux, macOS sudo bug found and fixed

Who'da thought hiding passwords behind asterisks as you entered the characters could be a security problem?

Sudo is a very popular, very simple Unix-system sysadmin application. It enables users to switch identities for the purpose of running a single command. Usually, but not always, it lets you run a command as the root, system administrator, user. Sudo's easy to abuse, but it's so darn useful, until it's not. A recently discovered sudo bug once more spells out why you should be wary of this command. 

In this latest security hole, CVE-2019-18634, Apple Information Security researcher Joe Vennix discovered that if the "pwfeedback" option is enabled in your sudoers configuration file, any user, even one who can't run sudo or is listed in the sudoers file, can crack a system.

Also: The different shades of sudo 

Ironically, pwfeedback was meant to make life a bit more secure for users. When enabled, it prints asterisks (*) to the screen when you enter your sudo password.

Unfortunately, it also made it easy to cause a stack-based buffer overflow. Then, as sudo developer Todd C. Miller warns, "Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability."

Whoops. 

The good news is pwfeedback isn't enabled by default. The bad news is that sysadmins often do enable it. Worse still, it's enabled by default in at least two popular Linux distributions, Elementary OS and Linux Mint

Fortunately, the fix is already in on most operating systems. The bug is fixed in sudo 1.8.31 and later. It's now in the most recent security updates to all major Linux distributions and macOS. So, you should patch it immediately.

 If there is no patch available for your operating system, you can fix the problem by deactavating pwfeedback. First check to see if you're vulnerable by running the command:

sudo -l

If you see  pwfeedback listed in the "Matching Defaults entries" output, you're vulnerable. To fix it, edit the sudoers file, which is usually located in /etc/sudoers, with the visudo editor and change: 

Defaults pwfeedback

To:

Defaults !pwfeedback

And, you'll be safe as houses.

So, what are you waiting for? Check your system and patch or correct it as needed before Joe Random Luser decides to play games on your server.

Related Stories: