Follow Cyber Kendra on Google News! | WhatsApp | Telegram

Critical Sudo Vulnerabilities Leads Root Access to Any Linux User

Sudo vulnerability

Two newly disclosed vulnerabilities in Sudo, the ubiquitous Linux privilege escalation tool, could allow virtually any local user to gain complete administrative control over affected systems. The flaws, tracked as CVE-2025-32462 and CVE-2025-32463, impact millions of Linux installations worldwide and require immediate patching.

The vulnerabilities affect Sudo versions spanning over a decade, with CVE-2025-32462 remaining undetected for 12 years since its introduction in version 1.8.8. The more recent CVE-2025-32463 was introduced in June 2023 with version 1.9.14. Together, these flaws impact virtually every major Linux distribution, including Ubuntu, Fedora, and macOS systems.

"The default Sudo configuration is vulnerable," warns the security advisory from Stratascale Cyber Research Unit, which discovered both vulnerabilities. "Any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed."

The first vulnerability (CVE-2025-32462) exploits Sudo's host option (-h), originally designed to list user privileges on remote systems. Due to a logic flaw, attackers can use this option to execute commands by referencing rules intended for other hosts. 

For example, if a sudoers file contains rules like "alice cerebus = ALL" (allowing user alice full access on host cerebus), an attacker named alice can run "sudo -h cerebus id" on any system to gain root access.

The second vulnerability (CVE-2025-32463) is more sophisticated, targeting Sudo's chroot functionality. When users invoke Sudo with the chroot option (-R), the system loads configuration files from the untrusted chroot environment. Attackers can manipulate the Name Service Switch configuration (/etc/nsswitch.conf) to load malicious shared libraries, achieving code execution with root privileges.

"Allowing a low-privileged user the ability to call chroot() with root authority to a writable location can have various security risks," the researchers explain. The exploit involves creating a malicious shared library that automatically executes when loaded by the system's user lookup functions.

Enterprise Environments Are Particularly Vulnerable

Organizations using centralized sudoers files distributed across multiple systems face heightened risk from CVE-2025-32462. The vulnerability particularly impacts environments using LDAP-based sudoers configurations, where host-specific rules are commonly employed for access control.

"Sites that use a common sudoers file that is distributed to multiple machines are similarly impacted," the advisory notes. This configuration pattern is standard in enterprise environments seeking to maintain consistent access policies across their infrastructure.

Immediate Action Required

System administrators must urgently update to Sudo version 1.9.17p1 or later, as no workarounds exist for either vulnerability. The chroot option has been deprecated in the latest version due to its inherent security risks.

Security teams should audit their sudoers configurations for host-specific rules and chroot usage. The researchers recommend searching system logs for "CHROOT=" entries and reviewing all sudoers files in /etc/sudoers and /etc/sudoers.d directories.

With proof-of-concept code now publicly available on GitHub, the window for exploitation has significantly widened. Organizations should treat these vulnerabilities as critical and prioritize immediate patching to prevent potential system compromises.

Post a Comment