Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root (Feb 3, 2020)
A vulnerability in the “sudo” utility used in Linux or macOS systems has been found that would give non-root users (low privileged users) the ability to execute administrative commands. The vulnerability is registered as “CVE-2019-18634” and affects sudo versions before 1.8.26. The Apple security researcher Joe Vennix realised it can be exploited with the “pwfeedback” option in the sudo configuration file. “pwfeedback” provides the visual asterisk (*) feedback for when users input passwords at the console and is not enabled by default in the majority of upstream versions of sudo except for certain distributions including Linux miNT and Elementary OS.
Recommendation: The command “sudo -l” will allow users to identify if their version of sudo is vulnerable by checking the “pwfeedback” option to see if it is “Matching Defaults entries” output. If the “pwdfeedback” is enabled, it can be disabled by changing “Defaults pwfeedback” to “!pwfeedback” in to the sudo configuration file to prevent it being exploited. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.