Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.
A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a sudo apt upgrade to install it.
But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.
The exploit, described by TheHackerNews, who also first reported the flaw, is thus:
“The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.”
In other words: it’s possible for someone to gain root access to a Linux system by specifying the user ID “-1” .
Now, I am not a security expert by any stretch — I use automatic login on everything — but I have to say this specific flaw stands out for being so …basic.
I’m used to headline exploits being obtuse or complicated, requiring a highly targeted and unconventional attack vector or unique deployment method, and a comsci degree to understand.
But this one? It could, in theory, be triggered on an affected system — which in this instance is almost anything running Linux — by issuing a simple command…
All moot, mind; though the implications of the issue are mildly terrifying any worry is redundant now that a security patch is live and available.
So if you haven’t installed the update to sudo yet, stop reading and go do it!