TL;DR: Sudo developers assigned CVE-2019-14287 to their Common Vulnerabilities and Exposures database, titled, Potential Bypass of Runas User Restrictions. That particular CVE allows for a security bypass, potentially allowing malicious actors root access. Superuser do (Sudo) is an important utility installed on nearly all UNIX and Linux operating systems.

Linux Superuser Do (Sudo) Found to Have Common Vulnerability

“When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification,” sudo developer Todd Miller announced 14 October 2019, “it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.”

Mohit Kumar, founder of The Hacker News explained, “The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the ‘sudoers configuration’ explicitly disallows the root access. Sudo is ultimately a command that allows still other commands “with the privileges of a different user without switching environments—most often, for running commands as the root user,” Kumar continued.

“By default on most Linux distributions,” Kumar further noted, “the ALL keyword in RunAs specification in /etc/sudoers file, as shown in the screenshot, allows all users in the admin or sudo groups to run any command as any valid user on the system.” All sudo versions before 1.8.28 are impacted.

“The bug is fixed in sudo 1.8.28,” Miller assured, crediting “Joe Vennix from Apple Information Security [who] found and analyzed the bug.” Linux developed as an open-source operating system first created by Finnish-American developer Linus Torvalds nearly three decades ago, and though it is not in vogue comparatively among mainstream desktop users, Bitcoiners have often made use of the platform in nearly all iterations of nodes, implementations, and even wallets.

CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.