Tuesday, March 2, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Sudo Flaw Lets Linux Users Run Commands As Root Even When They’re Restricted

October 15, 2019
in Internet Privacy
Sudo Flaw Lets Linux Users Run Commands As Root Even When They’re Restricted
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Attention Linux Users!

A vulnerability has been discovered in Sudo—one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system.

You might also like

Why do companies fail to stop breaches despite soaring IT security investment?

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020

The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.

Sudo, stands for “superuser do,” is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments—most often, for running commands as the root user.

By default on most Linux distributions, the ALL keyword in RunAs specification in /etc/sudoers file, as shown in the screenshot, allows all users in the admin or sudo groups to run any command as any valid user on the system.

ubuntu sudoer file

However, since privilege separation is one of the fundamental security paradigms in Linux, administrators can configure a sudoers file to define which users can run what commands as to which users.

So, even if a user has been restricted to run a specific, or any, command as root, the vulnerability could allow the user to bypass this security policy and take complete control over the system.

“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification,” the Sudo developers say.

How to Exploit this Bug? Just Sudo User ID -1 or 4294967295

The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password.

Web Application Firewall

What’s more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID “-1” or “4294967295.”

That’s because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.

Linux root user hacking

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.”

The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today, a few hours ago and would soon be rolled out as an update by various Linux distributions to their users.

So, if you use Linux, you are highly recommended to update sudo package manually to the latest version as soon as it is available.


Credit: The Hacker News By: noreply@blogger.com (Unknown)

Previous Post

Surprise – Model Improvements Don’t Always Drive Business Impact

Next Post

Apple responds to reports that it sends user traffic to China's Tencent

Related Posts

Why do companies fail to stop breaches despite soaring IT security investment?
Internet Privacy

Why do companies fail to stop breaches despite soaring IT security investment?

March 2, 2021
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
Internet Privacy

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

March 2, 2021
SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020
Internet Privacy

SolarWinds Blames Intern for Weak Password That Led to Biggest Attack in 2020

March 1, 2021
Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
Internet Privacy

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

February 26, 2021
Next Post
Apple responds to reports that it sends user traffic to China’s Tencent

Apple responds to reports that it sends user traffic to China's Tencent

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Singapore eyes more cameras, technology to boost law enforcement
Internet Security

Singapore eyes more cameras, technology to boost law enforcement

March 2, 2021
Why do companies fail to stop breaches despite soaring IT security investment?
Internet Privacy

Why do companies fail to stop breaches despite soaring IT security investment?

March 2, 2021
Tweaking Algorithmic Filtering to Combat Fake News
Data Science

Tweaking Algorithmic Filtering to Combat Fake News

March 2, 2021
Machine Learning Cuts Through the Noise of Quantum Computing
Machine Learning

Machine Learning Cuts Through the Noise of Quantum Computing

March 2, 2021
Google’s Tensorflow Certification & What I’ve Learned Since
Neural Networks

Google’s Tensorflow Certification & What I’ve Learned Since

March 2, 2021
Apple’s data-collection ‘nutrition labels’ for apps will begin appearing next week
Digital Marketing

Pinterest powers up creators during stressful times: Monday’s daily brief

March 2, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Singapore eyes more cameras, technology to boost law enforcement March 2, 2021
  • Why do companies fail to stop breaches despite soaring IT security investment? March 2, 2021
  • Tweaking Algorithmic Filtering to Combat Fake News March 2, 2021
  • Machine Learning Cuts Through the Noise of Quantum Computing March 2, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates