Hackers Choice

Ubuntu Releases Patch for Major ‘sudo’ Security Exploit

Ubuntu Releases Patch for Major ‘sudo’ Security Exploit

By Admin •  2019-10-16T11:31:02.041Z •  Unix & Linux


Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.

A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a sudo apt upgrade to install it.

But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.

The exploit, described by TheHackerNews, who also first reported the flaw, is thus:

“The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access.”

In other words: anyone could gain root access to a Linux system just by specifying the user ID “-1” .

Now, I am not a security expert by any stretch — I use automatic login on everything — but I have to say this specific flaw is rather novel in that it’s so…basic.

Like many, I’m used to headline exploits being obtuse and complicated, requiring a highly targeted and unconventional attack vector or unique deployment method.

But this one? It could, in theory, be triggered on an affected system — which in this instance is almost anything running Linux — by a single command…

Although the implications of the issue is mildly terrifying, it is mercifully redundant now that a security patch is available.

So if you haven’t installed it, stop reading and go do it!

 You may also like
Download our apps
Get it on Google Play