Critical security flaw in sudo

greenjeans · 2025-10-08 18:59:43

https://thehackernews.com/2025/09/cisa- … -flaw.html

"Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability," CISA said. "This vulnerability could allow a local attacker to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file."

Great, I don't even use sudo and it's STILL a security risk.

golinux · 2025-10-08 19:16:22

Great, I don't even use sudo and it's STILL a security risk.

Me too . . .

Altoid · 2025-10-08 19:44:32

Hello:

greenjeans wrote:

... a security risk.

Yes, it is.

But it is a local privilege escalation and (for now) it only affects sudo 1.9.14 to 1.9.17.

See here: https://gbhackers.com/poc-published-for … e-to-root/

gbhackers.com wrote:

... legacy versions prior to 1.9.14 remain unaffected since the vulnerable chroot feature did not exist in earlier releases.

I wonder what happened to do one thing and do it well?

That said, my up-to-date Devuan Daedalus (and yours) runs 1.9.13p3:

$ apt list | grep installed | grep sudo
--- snip ---
sudo/stable,stable-security,now 1.9.13p3-1+deb12u2 amd64 [installed]
$

So ...
Stay the course, everything wil be back to normal soon.

Best,

A.

Last edited by Altoid (2025-10-08 20:11:19)

golinux · 2025-10-08 20:03:08

@Altoid . . . I did not write that quote. greenjeans did . . . .l;

greenjeans · 2025-10-08 20:06:56

This is what I really like about Altoid, always a voice of reasonableness in a sea of chaos. Cheers buddy!

Altoid · 2025-10-08 20:15:20

Hello:

golinux wrote:

... did not write that quote.

Hmm ....
What'chu talkin' 'bout, Willis?

Oh, right ...
Taken care of.

Best,

A.

golinux · 2025-10-08 20:18:15

Hehehehe . . . maybe more coffee?

Altoid · 2025-10-08 20:23:22

Hello:

greenjeans wrote:

... reasonableness in a sea of chaos.

Nah ...
It was a fluke.

Probably remembered to take the green one this morning.
Or was it the red one? Can't recall.

That said, what's wrong with the proven and reliable chroot that it now has to have such a useful feature?
It never ends, does it?

Best,

A.

fsmithred · 2025-10-08 22:28:52

Fixed in trixie and forky/sid. (i.e. excalibur and freia/ceres) Older versions not affected.
https://security-tracker.debian.org/tra … 2025-32463

(I duck-searched the CVE with the words 'debian security' - first hit.)

stargate-sg1-cheyenne-mtn · 2025-10-09 04:08:54

@All, thanks for the timely rundown. visited the webpage @fsmithred linked and figured while i had the tab open i would slip in a little xkcd enjoyment...

so

enjoy

keyword(s): sudo make me a sandwich & santa claus naughty list

greenjeans · 2025-10-09 14:50:36

^^ I literally have a T-shirt with the sudo make me a sandwich cartoon on it, found it in a secondhand store years ago.

zapper · 2025-10-10 05:34:07

I prefer doas myself to be honest. It is much less complicated but still has the functionality I need in sudo/su.

I use that even on devuan/gnuinos

With jwmkit combined with doas, I can shutdown properly or poweroff properly.

I cannot make heads or tails on how to do the same thing with sudo lol. There is just too much to sort out in that sudoers file

xD

Last edited by zapper (2025-10-12 08:17:55)

blackhole · 2025-10-16 07:47:44

These were fixed back in June: https://git.sudo.ws/sudo/commit/?id=23aff2b37

To add some much needed perspective:

https://www.cvedetails.com/vendor/15714/
https://www.cvedetails.com/vendor/33/Linux.html

Yet none here seem concerned about running the Linux kernel...

Last edited by blackhole (2025-10-16 08:13:30)

zapper · 2025-10-19 04:53:15

@blackhole I suppose that could be a risk as well.

Truthfully, most software has vulnerabilities unless it doesn't connect to something that doesn't do anything online.

Although I suppose it could be more indirect than that.

blackhole · 2025-10-22 10:07:18

I was attempting to point out that sudo's record for vulnerabilities is considerably better than that of the Linux kernel, for example.

I think sudo has a bad press because of the association with Ubuntu - even though it was actually developed by an OpenBSD developer and the Ubuntu default configuration of sudo actually makes no sense, unless one specifically wants the auditing - otherwise su will suffice.

Aside from the above, sudo makes sense in settings where you want to alliow someone to carry out a specific task, which requires root privileges, without giving them root.

tux_99 · 2025-10-22 10:25:28

I don't see any point in sudo on a private destop/laptop PC, therefore I usually uninstall it (I hate it when distros make other essential packages unnecessarily depend on sudo, I'm talking to you Manjaro...) or if it can't be uninstalled due to dependencies then i remove the suid permission from the sudo binary:

# ls -la /usr/bin/sudo
-rwsr-xr-x 1 root root 257136 Jun 30 18:25 /usr/bin/sudo*
[manjaro-vm testuser1]# chmod -s /usr/bin/sudo
[manjaro-vm testuser1]# ls -la /usr/bin/sudo
-rwxr-xr-x 1 root root 257136 Jun 30 18:25 /usr/bin/sudo*

After removing the suid permission it is a good idea to block sudo from being updated to avoid that the next update changes the permission back again.

Without the suid permission sudo becomes harmless and useless as it can't elevate it's privileges to root anymore.

Last edited by tux_99 (2025-10-22 10:30:38)

Altoid · 2025-10-22 11:01:36

Hello:

blackhole wrote:

... where you want to alliow someone to carry out a specific task ...

Exactly what it was written for.
I have a long list in sudoers.d, some with, some without PW, for myself.
As an added value, the auditing is also a helpful tool for remembering what was and when.

PCLinuxOS devs make the point quite well: https://pclosmag.com/html/Issues/201205/page11.html

Best,

A.

blackhole · 2025-10-22 15:01:33

Altoid wrote:

Exactly what it was written for.

Well it's kind of down to interpretation:

Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. For more information, see the introduction to Sudo.

https://www.sudo.ws/

I think that sums it up well. But while the functionality to give a user the privileges to run all commands as root is there, that doesn't necessarily mean it's a good idea. It's just a statement of fact that it can be used for that (the rm command can also be used to delete all of your files, or just one, for example).

sudo has been around for a very long time:

Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD.

So, yes not really needed for or designed for domestic / home users PCs.

Canonical/Ubuntu and a few others utilised it simply as a means to eliminate / hide the root account, in order to appease migrants from Windows, and to implement an environment with more "hand holding" (protecting users from themselves). This was all based on the idea that users new Linux would do stupid things, such as running an X session or file manager as root. From this you'd get breakage, and inevitably "back to Windows", which equates to bad press / reputation for the distribution - something Canonical as a commercial entity had wanted to avoid.

I would not rank sudo alongside other controversial or problematic software, such as systemd, wayland, pulseaudio, rust, etc... and in the grand scheme of things, sudo's security track record isn't bad, when compared to those and to the Linux kernel itself.

But, if you don't use it, then I believe it's wise to remove it - that is if you're certain it's not being used by a script you may use/depend on without knowing it.

Last edited by blackhole (2025-10-22 15:02:25)

chris2be8 · 2025-10-22 16:23:55

I made good use of sudo while I was working as a UNIX systems admin. On a system with several users it can allow selected users to do things as root or another ID but not do anything really dangerous. The ability to get to a root shell was limited to admin staff who *should* know what they were doing. Sudo wasn't designed for systems with only 1 user.

Although it doesn't give quite such fine control as ACF2 on a MVS cum z/OS system. But that's a very different ball game.

greenjeans · 2025-10-22 17:06:50

PCLinuxOS devs make the point quite well: https://pclosmag.com/html/Issues/201205/page11.html

Nice. I know Old-P from back in the day, brilliant and ornery, lol, he and Bill were like a one-two punch of cantankerous, but I reckon all Linux folk are to some level. Good sense of humor though the both of them, I learned a lot from those guys. And i'm still in agreement about sudo after all these years.

The officially official Devuan Forum!

#1 2025-10-08 18:59:43

Critical security flaw in sudo

#2 2025-10-08 19:16:22

Re: Critical security flaw in sudo

#3 2025-10-08 19:44:32

Re: Critical security flaw in sudo

#4 2025-10-08 20:03:08

Re: Critical security flaw in sudo

#5 2025-10-08 20:06:56

Re: Critical security flaw in sudo

#6 2025-10-08 20:15:20

Re: Critical security flaw in sudo

#7 2025-10-08 20:18:15

Re: Critical security flaw in sudo

#8 2025-10-08 20:23:22

Re: Critical security flaw in sudo

#9 2025-10-08 22:28:52

Re: Critical security flaw in sudo

#10 2025-10-09 04:08:54

Re: Critical security flaw in sudo

#11 2025-10-09 14:50:36

Re: Critical security flaw in sudo

#12 2025-10-10 05:34:07

Re: Critical security flaw in sudo

#13 2025-10-16 07:47:44

Re: Critical security flaw in sudo

#14 2025-10-19 04:53:15

Re: Critical security flaw in sudo

#15 2025-10-22 10:07:18

Re: Critical security flaw in sudo

#16 2025-10-22 10:25:28

Re: Critical security flaw in sudo

#17 2025-10-22 11:01:36

Re: Critical security flaw in sudo

#18 2025-10-22 15:01:33

Re: Critical security flaw in sudo

#19 2025-10-22 16:23:55

Re: Critical security flaw in sudo

#20 2025-10-22 17:06:50

Re: Critical security flaw in sudo

Board footer