Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.
A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a
sudo apt upgrade to install it.
But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.
“The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.”
In other words: anyone could gain root access to a Linux system just by specifying the user ID “
Now, I am not a security expert by any stretch — I use automatic login on everything — but I have to say this specific flaw is rather novel in that it’s so…basic.
Like many, I’m used to headline exploits being obtuse and complicated, requiring a highly targeted and unconventional attack vector or unique deployment method.
But this one? It could, in theory, be triggered on an affected system — which in this instance is almost anything running Linux — by a single command…
Although the implications of the issue is mildly terrifying, it is mercifully redundant now that a security patch is available.
So if you haven’t installed it, stop reading and go do it!