Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.

A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a sudo apt upgrade to install it.

But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.

The exploit, described by TheHackerNews, who also first reported the flaw, is thus:

“The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.”

In other words: it’s possible for someone to gain root access to a Linux system by specifying the user ID “-1” .

Now, I am not a security expert by any stretch — I use automatic login on everything — but I have to say this specific flaw stands out for being so …basic.

I’m used to headline exploits being obtuse or complicated, requiring a highly targeted and unconventional attack vector or unique deployment method, and a comsci degree to understand.

But this one? It could, in theory, be triggered on an affected system — which in this instance is almost anything running Linux — by issuing a simple command…

All moot, mind; though the implications of the issue are mildly terrifying any worry is redundant now that a security patch is live and available.

So if you haven’t installed the update to sudo yet, stop reading and go do it!

News
#security #sudo