LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Huge sudo Security Issue - Update Your Systems Now!

News broke today of a new security vulnerability in sudo, a widely used Linux/BSD/Unix utility that allows regular users to execute commands with elevated privileges.

Typically, a user may need elevated (root) privileges to perform some command on the system, so the system administrator configures sudo to allow that user the ability to run one (or a set) of commands.  If you are not listed in the /etc/sudoers file, you have no access to sudo, and if you are, you have access only to commands you’ve been permitted to use.

The new vulnerability means that any user can elevate his privileges to root using a carefully crafted arguments to one of sudo’s programs (sudoedit) – even if the user is not listed in /etc/sudoers!

If you’re the only user on your system (i.e., a personal VPS) you are probably not immediately affected because the user must be logged in with a shell to use sudo.  However, you should still update.  If you run a system where you have many users and use sudo, you must update immediately (to version 1.9.5p2).

(As is often the case, the only major Unix-like OS that is not affected is OpenBSD, which ditched sudo in favor of its homegrown utility, doas, back in 2015 due to security concerns with sudo.)

raindog308

5 Comments

  1. Bilal Inamdar:

    Nice! Thanks for the info!

    January 27, 2021 @ 6:41 am | Reply
  2. Very nice, OpenBSD :)

    January 27, 2021 @ 11:16 am | Reply
  3. Stupid Unicorn:

    How does one actually update sudo? (say, on a Ubuntu system)

    January 27, 2021 @ 1:46 pm | Reply
  4. Thanks for sharing Andrew!

    January 27, 2021 @ 8:37 pm | Reply
  5. Glad I’m subscribed to LowEndBox on Facebook. I’m not a systems admin but it’s important to know stuff like this.

    January 30, 2021 @ 6:18 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *