Bug in SUDO allows any user to get root privileges

Unless you don't have sudo installed– in that case, you're good...for now. ;)

I usually use `su - $USER', and so don't usually install sudo.
 
Armenius said:
How did this bug go unnoticed for almost 10 years?
Click to expand...
Sometimes it's easier to see when something is done wrong, than to see something not being done at all. Also, it's a pretty small program whose code is probably rarely modified. I doubt it's looked at often, even.

And being that it works "fine" in most cases without this patch (in fact, the patch will more than likely break a lot of scripts), it's not something you'd easily catch in the wild (devs would have to spot it).
 
Armenius said:
How did this bug go unnoticed for almost 10 years?
Click to expand...
Because exploits are almost never obvious in the code. It is things interacting in unexpected ways. You don't usually find security vulnerabilities with a code audit, you find them by beating on a running system and getting unexpected behaviour. Same crap happened with BIND (DNS server) back in 2000. They discovered a bug that had been present in it since its inception, nobody had ever noticed it.

Computer security will ever be an ongoing process, there is no magic way to generate bug free code and no amount of review can find everything.
 
Sycraft said:
Because exploits are almost never obvious in the code. It is things interacting in unexpected ways. You don't usually find security vulnerabilities with a code audit, you find them by beating on a running system and getting unexpected behaviour. Same crap happened with BIND (DNS server) back in 2000. They discovered a bug that had been present in it since its inception, nobody had ever noticed it.

Computer security will ever be an ongoing process, there is no magic way to generate bug free code and no amount of review can find everything.
Click to expand...
To an outsider looking in it seems something that would have been obvious. Especially looking at the actual code.
 
Armenius said:
To an outsider looking in it seems something that would have been obvious. Especially looking at the actual code.
Click to expand...
There's plenty of stuff that is obvious when you know what to look for, invisible when you don't. This is likely one of those. It is also possible that it is simply code that almost nobody looks at. The "many eyes" claim of OSS is a myth. While anyone CAN review any code, that doesn't mean everyone DOES or the people that do are any good. You get some projects where there is one dude who works on it, and nobody else ever looks at it because they don't care.

Now for a tool as fundamental as sudo, it has probably been formally audited by companies like IBM and Redhat, and probably also by places like the NSA. So it may just be that this is obvious since you have been told what to look for and where, but if you didn't know it passed unnoticed even to experts.
 
Sycraft said:
There's plenty of stuff that is obvious when you know what to look for, invisible when you don't. This is likely one of those. It is also possible that it is simply code that almost nobody looks at. The "many eyes" claim of OSS is a myth. While anyone CAN review any code, that doesn't mean everyone DOES or the people that do are any good. You get some projects where there is one dude who works on it, and nobody else ever looks at it because they don't care.

Now for a tool as fundamental as sudo, it has probably been formally audited by companies like IBM and Redhat, and probably also by places like the NSA. So it may just be that this is obvious since you have been told what to look for and where, but if you didn't know it passed unnoticed even to experts.
Click to expand...
They just need me on the team. I am an expert in breaking things down into their simplest logical pieces. :cool:
 
[H] is on the ball!

I saw the vulnerability show up directly from Qualys, but bleeping computer seems to be one of the first new sites to pick this up.

This is going to be a big race to get everything patched for sure. The only good news is you do need that initial attack vector, but I'm guessing there are multiple ways to accomplish that.
 
Local buffer exploits like this are pretty commonplace. While we hate to see it in a piece of software that's considered "a standard part" of a Linux distribution, and one where elevated privileges are easy to get, it does happen. Remotely exploitable? Not directly. So, like any local exploit thing, just limit your access and of course... patch...
 
Nobu said:
Sometimes it's easier to see when something is done wrong, than to see something not being done at all. Also, it's a pretty small program whose code is probably rarely modified. I doubt it's looked at often, even.
Click to expand...

There's actually a lot of complexity in sudo. The config syntax is pretty involved, it supports locales (which has a way of messing everything up), PAM for all sorts of auth, and probably several other rather complex bits. OpenBSD's doas fits their usual mold of solving the core problem of an important program (sudo here), but leaving out the complex bits; if you need those, the original program is still available as a port/
 
toast0 said:
There's actually a lot of complexity in sudo. The config syntax is pretty involved, it supports locales (which has a way of messing everything up), PAM for all sorts of auth, and probably several other rather complex bits. OpenBSD's doas fits their usual mold of solving the core problem of an important program (sudo here), but leaving out the complex bits; if you need those, the original program is still available as a port/
Click to expand...
Right, but what sudo itself does is pretty small. There is a lot of boilerplate and interface code that probably gets looked over often, but the core program probably doesn't change much.
 
Sycraft said:
There's plenty of stuff that is obvious when you know what to look for, invisible when you don't. This is likely one of those. It is also possible that it is simply code that almost nobody looks at. The "many eyes" claim of OSS is a myth. While anyone CAN review any code, that doesn't mean everyone DOES or the people that do are any good. You get some projects where there is one dude who works on it, and nobody else ever looks at it because they don't care.

Now for a tool as fundamental as sudo, it has probably been formally audited by companies like IBM and Redhat, and probably also by places like the NSA. So it may just be that this is obvious since you have been told what to look for and where, but if you didn't know it passed unnoticed even to experts.
Click to expand...
You're contradicting yourself here. You are assuming that these companies have audited the code, but they may have just fallen to the same assumptions that it is safe like everyone else.

There really is only one assumption you should make when it comes to security - assume all code is vulnerable until proven otherwise, and take mitigating factors appropriate to the level of security you require.
 
jardows said:
You're contradicting yourself here. You are assuming that these companies have audited the code, but they may have just fallen to the same assumptions that it is safe like everyone else.

There really is only one assumption you should make when it comes to security - assume all code is vulnerable until proven otherwise, and take mitigating factors appropriate to the level of security you require.
Click to expand...
What I'm saying is that it is impossible to audit code and be 100% sure that it is safe. If you think you can do that, you are wrong, and that kind attitude is actually the sort of thing that leads to more issues: When developers assume they are so smart, so good, that they can see any issues that all the other stupid devs miss, which is not true.

I don't know how well audited the sudo code was, maybe it was something people ignored, but I find that unlikely. I think it was just missed and that happens.
 
Sycraft said:
What I'm saying is that it is impossible to audit code and be 100% sure that it is safe. If you think you can do that, you are wrong, and that kind attitude is actually the sort of thing that leads to more issues: When developers assume they are so smart, so good, that they can see any issues that all the other stupid devs miss, which is not true.

I don't know how well audited the sudo code was, maybe it was something people ignored, but I find that unlikely. I think it was just missed and that happens.
Click to expand...
^, as the kids would say.

Facts:
Code is insecure by default.
We try to secure it the best we can with our own knowledge. Not 100%.
Audits are not perfect either. Not 100%.
Open source (many eyes) is not proof against problems. Not 100%.

I always hate the headlines when something like this is found because the underlying theme is "how could this happen!??!"

It's hard, that's why.
 
Just checked on my Ubuntu Server 18.04 and 20.04 VMs - no sudo updates available.
 
ziggo0 said:
Just checked on my Ubuntu Server 18.04 and 20.04 VMs - no sudo updates available.
Click to expand...
They claim to have patched the old versions, so while you won't see an updated version, if you've downloaded updates, just trust that Ubuntu has patched it and you're secure.
 
OutOfPhase said:
It's hard, that's why.
Click to expand...

and then some mr fancy pants on a forum comes around AFTER the hard work has been done and delivered to them on a silverplate to say: "Hey this looks easy now that someone else have provided me the solution, why was it hard in the first place?"
 
jardows said:
You're contradicting yourself here. You are assuming that these companies have audited the code, but they may have just fallen to the same assumptions that it is safe like everyone else.

There really is only one assumption you should make when it comes to security - assume all code is vulnerable until proven otherwise, and take mitigating factors appropriate to the level of security you require.
Click to expand...
I interpreted what he said as "people think OSS is reviewed by tons of people, but it's only looked at buy a few." And the reality is that most of this code is written and maintained by companies like Redhat, IBM and similar corporations. I've have a friend whose sole job was to work on Linux. As I recall he was at IBM in Austin at the time (but it's be 14 or 15 years, and I may have the company wrong).
 
You must log in or register to reply here.
Back
Top