DEV Community

nabbisen
nabbisen

Posted on β€’ Edited on β€’ Originally published at scqr.net

4

sudoedit (`sudo -e`) security flaw (CVE-2023-22809)

Security vulnerability

A new sudo vulnerability was found. It was on sudoedit (sudo -e) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled.

CVE

CVE-2023-22809

Impact

(with appreciation to @jmau111's comments)

The official website statements:

If no users have been granted access to sudoedit there is no impact.

It is the case, for example, that /etc/sudoers (or the target visudo uses) has such a line:

someuser ALL=(root) sudoedit /etc/some.conf
Enter fullscreen mode Exit fullscreen mode

someuser can edit another file by exploiting the flaw.

Solution

If sudo is 1.8 or greater, it is recommended to update it to the latest version (1.9.12p2) released today, on 2023-01-19.

Temporary workaround

In case that you can't update it right now,

the official website describes there is a way to mitigate it by adding the line below to sudoers:

Defaults!sudoedit    env_delete+="SUDO_EDITOR VISUAL EDITOR"
Enter fullscreen mode Exit fullscreen mode

Reference

This post is based on the tweets by my company

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (7)

Collapse
 
spo0q profile image
spO0q β€’ β€’ Edited

hey hey ^^:

sudo apt update; sudo apt --only-upgrade install sudo
Enter fullscreen mode Exit fullscreen mode

If you can update. Otherwise, you can force install by downloading the tar file and make make install

Collapse
 
spo0q profile image
spO0q β€’

Although, read that before:

If no users have been granted access to sudoedit there is no impact.

Collapse
 
nabbisen profile image
nabbisen β€’

Hi, thank you so much for your detailed information ✨
You are perfectly right. We can make it installed πŸ˜†

Well, thank you, again. I added the description about "Impact" to my post with the appreciation to you.

Thread Thread
 
spo0q profile image
spO0q β€’

Pleasure.

Yes, impact is really important in such news. I'm actually quite surprised they found something.

Thread Thread
 
nabbisen profile image
nabbisen β€’

Impact πŸ’‘ I learned with your kind description 😌
Agreed. They are really surprising and awesome.

Collapse
 
m4ty profile image
Maty β€’

Doas enjoyers chilling.

Collapse
 
nabbisen profile image
nabbisen β€’

Ha ha. Actually, there is no impact to doas (and opendoas) as to this case.

πŸ‘‹ Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay