Jump to content
securitybreach

Sudo (Debian)Linux Bug Allows Hackers To Execute Commands As Root User

Recommended Posts

securitybreach
Quote

According to the latest report published by The Debian Project, a Sudo vulnerability exists that allows hackers to gain access to root privileges and execute commands.

The vulnerability exists in the Sudo package (Sudo stands for “superuser do”) which allows users to execute programs and commands with security privileges of a superuser.

 

Tagged as CVE -2019-18634, the Sudo flaw has affected Debian GNU/Linux 9 “Stretch” operating system series running Sudo versions prior to 1.8.26 vis-à-vis versions 1.7.1 to 1.8.25p1.

Thankfully, the flaw can be exploited only when “pwfeedback” option is enabled in Sudoers by the system administrator. According to the National Vulnerability Database, in CVE-2019-18634 Linux flaw, “if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process.


However, Sudo developer Todd C. Miller says that the flaw can also be triggered even when Sudo permissions are not granted. It requires only pwfeedback to be enabled to exploit the flaw, as per Miller.

 

https://fossbytes.com/sudo-linux-bug-allows-hackers-execute-commands-root-user/

Share this post


Link to post
Share on other sites
sunrat

Old news. This was fixed with a Debian security update on Feb 01 -

Hmmm, interesting. Posting a "Share" link shows an image of the first post in the topic but links to the correct post. Suboptimal. The posting box pops up an option to post as link instead:
https://forums.scotsnewsletter.com/index.php?/topic/22937-new-updates-debian/&do=findComment&comment=462539

 

Sudo is not installed by default in Debian unless a root password is not set during install. It's superfluous fluff IMHO for a single-user system.

  • +1 2

Share this post


Link to post
Share on other sites
raymac46

Linux Mint sudo has been updated to an appropriate version.

Share this post


Link to post
Share on other sites
securitybreach
1 hour ago, sunrat said:

Old news. This was fixed with a Debian security update on Feb 01 -

Hmmm, interesting. Posting a "Share" link shows an image of the first post in the topic but links to the correct post. Suboptimal. The posting box pops up an option to post as link instead:
https://forums.scotsnewsletter.com/index.php?/topic/22937-new-updates-debian/&do=findComment&comment=462539

 

Sudo is not installed by default in Debian unless a root password is not set during install. It's superfluous fluff IMHO for a single-user system.

 

Well the post was posted today on fossbytes. I wonder why they didn't research before posting.

Share this post


Link to post
Share on other sites
securitybreach

Oddly enough, the US government has not even finished the analysis

CVE-2019-18634 Detail

 

https://nvd.nist.gov/vuln/detail/CVE-2019-18634

Share this post


Link to post
Share on other sites
sunrat
2 hours ago, securitybreach said:

 

Well the post was posted today on fossbytes. I wonder why they didn't research before posting.

 

Debian security devs are usually really quick with stuff like this. And probably it was trivial to fix. It only affects Stretch too, which is oldstable. Most Debian users will be on Buster, current stable.

  • Like 1

Share this post


Link to post
Share on other sites
V.T. Eric Layton

I received a security alert from Slackware a couple days ago about this. I already updated. I don't use sudo at all on my Slackware, anyway.

Share this post


Link to post
Share on other sites
ebrke

If my aging memory serves me, OpenSUSE used to let you disable sudo. Apparently that's no longer the case, or I just can't find the setting in Security. I've always just logged in as su, holdover from my unix days.

Share this post


Link to post
Share on other sites
Mauser
On 2/4/2020 at 8:57 PM, raymac46 said:

Linux Mint sudo has been updated to an appropriate version.

Did they ever fix the security hole of no password is asked for installing Flatpaks?

Share this post


Link to post
Share on other sites
Mauser
On 2/5/2020 at 8:35 PM, ebrke said:

If my aging memory serves me, OpenSUSE used to let you disable sudo. Apparently that's no longer the case, or I just can't find the setting in Security. I've always just logged in as su, holdover from my unix days.

Actually when I ran openSUESE years ago sudo never worked. You had to use su instead.

Share this post


Link to post
Share on other sites
securitybreach
3 minutes ago, Mauser said:

Did they ever fix the security hole of no password is asked for installing Flatpaks?

 

It's not a bug. Flatpak is installed globally and anyone in the sudo group can install a flatpak without typing sudo.

Share this post


Link to post
Share on other sites
securitybreach
2 minutes ago, Mauser said:

Actually when I ran openSUESE years ago sudo never worked. You had to use su instead.

 

You have to set it up. https://en.opensuse.org/SDB:Administer_with_sudo

Share this post


Link to post
Share on other sites
Mauser
Just now, securitybreach said:

 

It's not a bug. Flatpak is installed globally and anyone in the sudo group can install a flatpak without sudo.

I never said it's a bug. I said it's a security hole. Running all the time in sudo is another security hole.

Share this post


Link to post
Share on other sites
securitybreach
Just now, Mauser said:

I never said it's a bug. I said it's a security hole. Running all the time in sudo is another security hole.

 

It's not a hole either. Sudo authenticates via your user password so if you are already authenticated, it goes through as intended.

Share this post


Link to post
Share on other sites
securitybreach

Now, you can change that behavior if you want to. I have mine set to ask for the user password for some things and the root password for other things. It's all about how you set it up.

Share this post


Link to post
Share on other sites
Mauser
Just now, securitybreach said:

 

It's not a hole either. Sudo authenticates via your user password so if you are already authenticated, it goes through as intended.

It's a security hole when it doesn't ask your password when installing Flatpaks like in Linux mint.

Share this post


Link to post
Share on other sites
securitybreach

 

If you say so.

Share this post


Link to post
Share on other sites
Mauser
1 minute ago, securitybreach said:

Now, you can change that behavior if you want to. I have mine set to ask for the user password for some things and the root password for other things. It's all about how you set it up.

When I used Linux mint they never told me that. They basically told me to pound sand. I exercised my first amendment rights and replaced Linux mint with Xubutu back then. 

Share this post


Link to post
Share on other sites
securitybreach

You could of just changed the behavior easily enough by editing /etc/sudoers.

Share this post


Link to post
Share on other sites
V.T. Eric Layton
4 minutes ago, Mauser said:

When I used Linux mint they never told me that.

 

Who exactly are you referring to when you say "they" here?

  • +1 1

Share this post


Link to post
Share on other sites
Mauser
1 minute ago, V.T. Eric Layton said:

 

Who exactly are you referring to when you say "they" here?

The ones on the Linux mint forum.

Share this post


Link to post
Share on other sites
V.T. Eric Layton
11 minutes ago, Mauser said:

The ones on the Linux mint forum.

 

Ah... well, that's a community support forum inhabited by many folks using Linux Mint and willing to assist others. However, the way you made it sound in your post was that you expected to be told something about the Free Linux Mint operating system that you chose to use and install.

 

You know it doesn't work that way. If you want to learn/know things about "free as beer" operating systems, you'll need to do your homework. No one is going to lead you by the hand. These OSes are NOT Windows, as I like to tell new Linux folks. It's a whole different world.

 

GNU/Linux does require some effort on the part of the new user. But, hey... I'm just practicing my typing here because I know you're aware of this already.

  • +1 1

Share this post


Link to post
Share on other sites
securitybreach

:thumbup:

Share this post


Link to post
Share on other sites
V.T. Eric Layton

Mauser, I'm not pickin' on you, man. It's just that for many, many years now I've seen so many new Linux users get all whizzed off because they don't feel they're getting the support they should be getting from the operating system choices they're making. My reply is usually something along the lines of, "Well, you're getting your money's worth" - meaning you paid nothing for the operating system that MANY people contributed MANY hours of their lives to help create and maintain. You can't expect RedHat Customer Support unless you're paying RedHat the BIG BUCKS for that.

 

Anyway, here at Scot's we pride ourselves on helping new and experienced Linux folks with even the most trivial issues. That goes 100% for the MS Windows folks here to assist Windows users with their issues. You've come to the right place for any assistance, but like anything in life, you have to put a little effort into it, too.

 

And, like I said above... I'm sure you know all this already.

 

Ugly storm coming my way in a bit. I may have to power down this soul-sucking box till tomorrow. We'll see how bad it gets in a few minutes...

 

qNhxeYr.png

Share this post


Link to post
Share on other sites
securitybreach

Agreed and thanks Eric :thumbsup:

  • Agree 1

Share this post


Link to post
Share on other sites
raymac46

I have not used Flatpaks in any way shape or form on Linux Mint so I can't comment about any security hole.

 

  • Like 1

Share this post


Link to post
Share on other sites
securitybreach
2 minutes ago, raymac46 said:

I have not used Flatpaks in any way shape or form on Linux Mint so I can't comment about any security hole.

 

 

Same. I do not use any "universal" packages as they cannot be tracked by the package manager on my distro.

Share this post


Link to post
Share on other sites
sunrat

I agree, containerised applications (Snap, Flatpak, Appimage) are a curse on Linux. In my opinion they are a far worse development than systemd ever was and I find it hard to believe there is not similar outrage about distros supporting their use. There's been a flood of support questions about them at both Debian and MX forums.

 

I rarely find the need to install anything from outside the distro repo and the handful I do are from dedicated 3rd party Debian repos or a couple of Python scripts. Currently that's just Strawberry, DeadBeef, Syncthing (it's in Debian but that version is missing a couple of functions), Flacon, SACAD, sacd, Pulseaudio Parametric Equalizer.

 

In case you're wondering, SACAD is Super Album Cover Automatic Downloader, whereas sacd is to convert a disk image of Super Audio CD to regular files. Flacon converts a single album FLAC file with cue list to multiple single track files.

  • +1 1

Share this post


Link to post
Share on other sites
securitybreach
2 hours ago, sunrat said:

I agree, containerised applications (Snap, Flatpak, Appimage) are a curse on Linux. In my opinion they are a far worse development than systemd ever was and I find it hard to believe there is not similar outrage about distros supporting their use. There's been a flood of support questions about them at both Debian and MX forums.

 

I rarely find the need to install anything from outside the distro repo and the handful I do are from dedicated 3rd party Debian repos or a couple of Python scripts. Currently that's just Strawberry, DeadBeef, Syncthing (it's in Debian but that version is missing a couple of functions), Flacon, SACAD, sacd, Pulseaudio Parametric Equalizer.

 

In case you're wondering, SACAD is Super Album Cover Automatic Downloader, whereas sacd is to convert a disk image of Super Audio CD to regular files. Flacon converts a single album FLAC file with cue list to multiple single track files.

 

 

:thumbsup:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...