Security vulnerability
A new sudo
vulnerability was found. It was on sudoedit (sudo -e
) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled.
CVE
Impact
(with appreciation to @jmau111's comments)
The official website statements:
If no users have been granted access to sudoedit there is no impact.
It is the case, for example, that /etc/sudoers
(or the target visudo
uses) has such a line:
someuser ALL=(root) sudoedit /etc/some.conf
someuser
can edit another file by exploiting the flaw.
Solution
If sudo is 1.8 or greater, it is recommended to update it to the latest version (1.9.12p2) released today, on 2023-01-19.
Temporary workaround
In case that you can't update it right now,
the official website describes there is a way to mitigate it by adding the line below to sudoers:
Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"
Reference
This post is based on the tweets by my company
Top comments (7)
hey hey ^^:
If you can update. Otherwise, you can force install by downloading the tar file and
make
make install
Although, read that before:
Hi, thank you so much for your detailed information ✨
You are perfectly right. We can make it installed 😆
Well, thank you, again. I added the description about "Impact" to my post with the appreciation to you.
Pleasure.
Yes, impact is really important in such news. I'm actually quite surprised they found something.
Impact 💡 I learned with your kind description 😌
Agreed. They are really surprising and awesome.
Doas enjoyers chilling.
Ha ha. Actually, there is no impact to
doas
(andopendoas
) as to this case.