Sudo (Debian)Linux Bug Allows Hackers To Execute Commands As Root User

[securitybreach]

Quote

According to the latest report published by The Debian Project, a Sudo vulnerability exists that allows hackers to gain access to root privileges and execute commands.

The vulnerability exists in the Sudo package (Sudo stands for “superuser do”) which allows users to execute programs and commands with security privileges of a superuser.

 

Tagged as CVE -2019-18634, the Sudo flaw has affected Debian GNU/Linux 9 “Stretch” operating system series running Sudo versions prior to 1.8.26 vis-à-vis versions 1.7.1 to 1.8.25p1.

Thankfully, the flaw can be exploited only when “pwfeedback” option is enabled in Sudoers by the system administrator. According to the National Vulnerability Database, in CVE-2019-18634 Linux flaw, “if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process.”

However, Sudo developer Todd C. Miller says that the flaw can also be triggered even when Sudo permissions are not granted. It requires only pwfeedback to be enabled to exploit the flaw, as per Miller.

 

https://fossbytes.com/sudo-linux-bug-allows-hackers-execute-commands-root-user/

[sunrat]

Old news. This was fixed with a Debian security update on Feb 01 -

Hmmm, interesting. Posting a "Share" link shows an image of the first post in the topic but links to the correct post. Suboptimal. The posting box pops up an option to post as link instead:
https://forums.scotsnewsletter.com/index.php?/topic/22937-new-updates-debian/&do=findComment&comment=462539

 

Sudo is not installed by default in Debian unless a root password is not set during install. It's superfluous fluff IMHO for a single-user system.

[raymac46]

Linux Mint sudo has been updated to an appropriate version.

[securitybreach]

1 hour ago, sunrat said:

Old news. This was fixed with a Debian security update on Feb 01 -

Hmmm, interesting. Posting a "Share" link shows an image of the first post in the topic but links to the correct post. Suboptimal. The posting box pops up an option to post as link instead:
https://forums.scotsnewsletter.com/index.php?/topic/22937-new-updates-debian/&do=findComment&comment=462539

 

Sudo is not installed by default in Debian unless a root password is not set during install. It's superfluous fluff IMHO for a single-user system.

 

Well the post was posted today on fossbytes. I wonder why they didn't research before posting.

[securitybreach]

Oddly enough, the US government has not even finished the analysis

CVE-2019-18634 Detail

Undergoing Analysis

---

This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary.

 

https://nvd.nist.gov/vuln/detail/CVE-2019-18634

[sunrat]

2 hours ago, securitybreach said:

 

Well the post was posted today on fossbytes. I wonder why they didn't research before posting.

 

Debian security devs are usually really quick with stuff like this. And probably it was trivial to fix. It only affects Stretch too, which is oldstable. Most Debian users will be on Buster, current stable.

[V.T. Eric Layton]

I received a security alert from Slackware a couple days ago about this. I already updated. I don't use sudo at all on my Slackware, anyway.

[ebrke]

If my aging memory serves me, OpenSUSE used to let you disable sudo. Apparently that's no longer the case, or I just can't find the setting in Security. I've always just logged in as su, holdover from my unix days.

[Guest Mauser]

On 2/4/2020 at 8:57 PM, raymac46 said:

Linux Mint sudo has been updated to an appropriate version.

Did they ever fix the security hole of no password is asked for installing Flatpaks?

[Guest Mauser]

On 2/5/2020 at 8:35 PM, ebrke said:

If my aging memory serves me, OpenSUSE used to let you disable sudo. Apparently that's no longer the case, or I just can't find the setting in Security. I've always just logged in as su, holdover from my unix days.

Actually when I ran openSUESE years ago sudo never worked. You had to use su instead.

[securitybreach]

3 minutes ago, Mauser said:

Did they ever fix the security hole of no password is asked for installing Flatpaks?

 

It's not a bug. Flatpak is installed globally and anyone in the sudo group can install a flatpak without typing sudo.

[securitybreach]

2 minutes ago, Mauser said:

Actually when I ran openSUESE years ago sudo never worked. You had to use su instead.

 

You have to set it up. https://en.opensuse.org/SDB:Administer_with_sudo

[Guest Mauser]

Just now, securitybreach said:

 

It's not a bug. Flatpak is installed globally and anyone in the sudo group can install a flatpak without sudo.

I never said it's a bug. I said it's a security hole. Running all the time in sudo is another security hole.

[securitybreach]

Just now, Mauser said:

I never said it's a bug. I said it's a security hole. Running all the time in sudo is another security hole.

 

It's not a hole either. Sudo authenticates via your user password so if you are already authenticated, it goes through as intended.

[securitybreach]

Now, you can change that behavior if you want to. I have mine set to ask for the user password for some things and the root password for other things. It's all about how you set it up.

[Guest Mauser]

Just now, securitybreach said:

 

It's not a hole either. Sudo authenticates via your user password so if you are already authenticated, it goes through as intended.

It's a security hole when it doesn't ask your password when installing Flatpaks like in Linux mint.

[securitybreach]

 

If you say so.

[securitybreach]

It is set up that way on purpose: https://askubuntu.com/questions/147241/execute-sudo-without-password#147265

[Guest Mauser]

1 minute ago, securitybreach said:

Now, you can change that behavior if you want to. I have mine set to ask for the user password for some things and the root password for other things. It's all about how you set it up.

When I used Linux mint they never told me that. They basically told me to pound sand. I exercised my first amendment rights and replaced Linux mint with Xubutu back then. 

[securitybreach]

You could of just changed the behavior easily enough by editing /etc/sudoers.

[V.T. Eric Layton]

4 minutes ago, Mauser said:

When I used Linux mint they never told me that.

 

Who exactly are you referring to when you say "they" here?

[Guest Mauser]

1 minute ago, V.T. Eric Layton said:

 

Who exactly are you referring to when you say "they" here?

The ones on the Linux mint forum.

[V.T. Eric Layton]

11 minutes ago, Mauser said:

The ones on the Linux mint forum.

 

Ah... well, that's a community support forum inhabited by many folks using Linux Mint and willing to assist others. However, the way you made it sound in your post was that you expected to be told something about the Free Linux Mint operating system that you chose to use and install.

 

You know it doesn't work that way. If you want to learn/know things about "free as beer" operating systems, you'll need to do your homework. No one is going to lead you by the hand. These OSes are NOT Windows, as I like to tell new Linux folks. It's a whole different world.

 

GNU/Linux does require some effort on the part of the new user. But, hey... I'm just practicing my typing here because I know you're aware of this already.

[securitybreach]

[V.T. Eric Layton]

Mauser, I'm not pickin' on you, man. It's just that for many, many years now I've seen so many new Linux users get all whizzed off because they don't feel they're getting the support they should be getting from the operating system choices they're making. My reply is usually something along the lines of, "Well, you're getting your money's worth" - meaning you paid nothing for the operating system that MANY people contributed MANY hours of their lives to help create and maintain. You can't expect RedHat Customer Support unless you're paying RedHat the BIG BUCKS for that.

 

Anyway, here at Scot's we pride ourselves on helping new and experienced Linux folks with even the most trivial issues. That goes 100% for the MS Windows folks here to assist Windows users with their issues. You've come to the right place for any assistance, but like anything in life, you have to put a little effort into it, too.

 

And, like I said above... I'm sure you know all this already.

 

Ugly storm coming my way in a bit. I may have to power down this soul-sucking box till tomorrow. We'll see how bad it gets in a few minutes...

 

[securitybreach]

Agreed and thanks Eric

[raymac46]

I have not used Flatpaks in any way shape or form on Linux Mint so I can't comment about any security hole.

 

[securitybreach]

2 minutes ago, raymac46 said:

I have not used Flatpaks in any way shape or form on Linux Mint so I can't comment about any security hole.

 

 

Same. I do not use any "universal" packages as they cannot be tracked by the package manager on my distro.

[sunrat]

I agree, containerised applications (Snap, Flatpak, Appimage) are a curse on Linux. In my opinion they are a far worse development than systemd ever was and I find it hard to believe there is not similar outrage about distros supporting their use. There's been a flood of support questions about them at both Debian and MX forums.

 

I rarely find the need to install anything from outside the distro repo and the handful I do are from dedicated 3rd party Debian repos or a couple of Python scripts. Currently that's just Strawberry, DeadBeef, Syncthing (it's in Debian but that version is missing a couple of functions), Flacon, SACAD, sacd, Pulseaudio Parametric Equalizer.

 

In case you're wondering, SACAD is Super Album Cover Automatic Downloader, whereas sacd is to convert a disk image of Super Audio CD to regular files. Flacon converts a single album FLAC file with cue list to multiple single track files.

[securitybreach]

2 hours ago, sunrat said:

I agree, containerised applications (Snap, Flatpak, Appimage) are a curse on Linux. In my opinion they are a far worse development than systemd ever was and I find it hard to believe there is not similar outrage about distros supporting their use. There's been a flood of support questions about them at both Debian and MX forums.

 

I rarely find the need to install anything from outside the distro repo and the handful I do are from dedicated 3rd party Debian repos or a couple of Python scripts. Currently that's just Strawberry, DeadBeef, Syncthing (it's in Debian but that version is missing a couple of functions), Flacon, SACAD, sacd, Pulseaudio Parametric Equalizer.

 

In case you're wondering, SACAD is Super Album Cover Automatic Downloader, whereas sacd is to convert a disk image of Super Audio CD to regular files. Flacon converts a single album FLAC file with cue list to multiple single track files.