​Why you must patch the new Linux sudo security hole

Ironically, only the most secure Linux server setups are vulnerable to this newly discovered hole.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

If you want your Linux server to be really secure, you defend it with SELinux. Many sysadmins don't bother because SELinux can be difficult to set up. But, if you really want to nail down your server, you use SELinux. This makes the newly discovered Linux security hole -- with the sudo command that only hits SELinux-protected systems -- all the more annoying.

Sudo enables users to run commands as root or another user, while simultaneously providing an audit trail of these commands. It's essential for day-in, day-out Linux work. Qualys, a well-regarded security company, discovered this essential command -- but only on systems with SELinux enabled -- can be abused to give the user full root-user capabilities.

Or, as they'd say on the Outer Limits, "We will control the horizontal, we will control the vertical." This is not what you want to see on your Linux server.

In a note to the OpenWall open-source security list, Qualys explained, "On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges."

Specifically, this works by enabling a trusted user "to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers."

For attacks over this vector, CVE-2017-1000367, to work, a user must have server access and the ability to run sudo. Still, if you've gone to the trouble to protect a server with SELinux, you don't want there to be any chance that someone could run rampant over it.

The security hole exists in sudo 1.7.10 through 1.7.10p9 inclusive and sudo 1.8.5 through 1.8.20p1 inclusive. Sudo 1.7.10 was released in September 2012. Thus, all Linux distributions released in the last five years are vulnerable to this attack. There was also a patch release, sudo 1.8.20p1, where the fix was incomplete. That's because it didn't address malicious commands, which included a new line.

That's the bad news. The good news is patches are available for almost all significant server Linux distributions. These include Debian, Red Hat, SUSE, and Ubuntu.

If you haven't patched your server yet, do so. Once Qualys believes sufficient time has passed for responsible sysadmins to have patched their systems, they will publish their sudo-to-root exploit, and a day or two later, hackers will release easy-to-run attack scripts.

Related stories:

Editorial standards