Security News > 2021 > January > Decade-old bug in Linux world's sudo can be abused by any logged-in user to gain root privileges

Security researchers from Qualys have identified a critical heap buffer overflow vulnerability in sudo that can be exploited by rogue users to take over the host system.

Sudo is an open-source command-line utility widely used on Linux and other Unix-flavored operating systems.

The bug found by Qualys allows any local user to gain root-level access on a vulnerable host in its default configuration.

The following versions of sudo are affected: 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. Qualys developed exploits for several Linux distributions, including Ubuntu 20.04, Debian 10, and Fedora 33, and the security biz believes other distributions are vulnerable, too.

In a statement, Mehul Revankar, VP of product management and engineering at Qualys, said the vulnerability "Is perhaps the most significant sudo vulnerability in recent memory and has been hiding in plain sight for nearly 10 years."

Noting that sudo is nearly ubiquitous and is available by default in most Linux systems, Revankar said there are likely to be millions of vulnerable systems that need to be patched.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/26/qualys_sudo_bug/