Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root

Topic

New Reply

Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative (‘root’) privileges on Linux or macOS systems..

..The newly discovered privilege escalation vulnerability, tracked as CVE-2019-18634, in question stems from a stack-based buffer overflow issue that resides in Sudo versions before 1.8.26..

Vennix responsibly reported the vulnerability to the maintainers of Sudo, who late last week released sudo version 1.8.31 with a patch…

Apple has also released a patch update for macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2 last week…

https://thehackernews.com/2020/02/sudo-linux-vulnerability.html

1 user thanked author for this post.

OscarCP

Reply | Quote

Replies

Another critical Linux vulnerability which persisted for 11 years despite the mythical advantage of open source code availability to “many eyeballs“?

(On by default in Linux Mint for more than a year apparently.)

Reply | Quote

This thread is not about Linux, it is about macOS. macOS is proprietary, so it’s not open to the scrutiny of “many eyeballs.”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Oh, my apologies, b: it is also about Linux! And you are so right. Except that all those eyeballs are ‘human’ eyeballs, and you know the saying about erring, human, forgiving, divine. But even given that, this is a big embarrassment to the Linux Devs and fans. Imagine, in ‘Sudo’, one of the most important and most often used line commands, one that has been around since forever, there is a just now discovered and perhaps equally ancient, but also, potentially, really dangerous bug!

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

@b – It’s clear that no one operating system – Windows, Linux, macOS, iOS, etc – can win the finger-pointing game. All of them have or have had flaws ranging in severity from mild to critical, and ranging in temporal extent from zero-day to years. It is what it is.

1 user thanked author for this post.

OscarCP

Reply | Quote

That was exactly my point. Many have postulated in the past that open source is inherently more secure, but that’s pure theory which doesn’t pan out in practice. We read much here about buggy Windows but not nearly enough about buggy Linux or macOS. (Imagine the blistering diatribes which would abound if Windows had allowed privilege escalation via an Admin password field bypass for 11 years!)

Reply | Quote

People bave died wearing seatbelts.  Does this suggest that the safety benefit of seatbelts is mythical?

Life is not black and white, cut and dried. We’re talking about increasing the odds of discovering bugs, not guaranteeing their discovery.  Until the rate of discovery within a given time frame hits 100%, which is impossible,  there will always be some that get by.  It doesn’t mean that having more eyes on the code does not work… if anything, perhaps still more eyes are needed.

This bug, like so many of the other bugs the proprietary software defenders love to mention that have been there a while, was never exploited in the wild.  It was discovered before it could be exploited, even if the thing was in there was a long time.  If it had been exploited, as so many Windows bugs have been (despite the code being closed), it would no doubt have been discovered sooner.  Would that have been a more favorable outcome?

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

OscarCP

Reply | Quote

“I do not judge, I tried to understand.” Georges Simenon.

And I try to live accordingly, but with not a lot of success. I’ll have to apply myself harder.

In the meantime: Linux is the premier OS in server farms that take care of important data bases belonging to governments, universities, local, provincial, national and international organizations. It is probably as important as Windows in this respect, maybe even more, if we consider, at least based on my own experience, the likely prevalence in Europe of the use of Linux in such organizations.

This is good, in the sense that if a bug becomes a problem, it is likely to be discovered very quickly: Linux is not a boutique OS used by a few fanboys and some hobbyists that like to tinker with computers and software for the fun of it. But this is bad, for the same reason, if the bug is not caught quickly or, as in the present lucky case, is not discovered before it becomes a problem.

So we are fortunate here, this time, I think, in that the blood has not reached the river. But how secure are we to feel after something like this happens? We are reminded by this, as Ascaris has noted, that nothing made by people can be perfect, but the question having been asked, the only answer I can think of — beyond “let’s not expect that by using OS XXX a millennium free of trouble is finally upon us” — the one answer that fits my own state of existential uncertainty on this matter is: “how long is a piece of string?”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

This is good, in the sense that if a bug becomes a problem, it is likely to be discovered very quickly:

But not in this case?

Reply | Quote

b, you seem to have missed the part: “But this is bad, for the same reason…” Maybe you need that vacation?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I didn’t/don’t understand why Linux bugs are likely to be discovered quickly just because it’s used by lots of organizations. Most users don’t review the code even though they have the theoretical ability to do so.

Reply | Quote

They are likely to be discovered quickly if they infect one of those big organizations… So: the hard way, b, the hard way. No eyeballs needed.

 

Moderator note: Edited for content.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Ascaris wrote:

… if anything, perhaps still more eyes are needed.

Clearly. How will that be achieved with practically no incentive?

Reply | Quote

b wrote:

Ascaris wrote:

… if anything, perhaps still more eyes are needed.

Clearly. How will that be achieved with practically no incentive?

Money is not the only incentive, or the many people who volunteer their time for open-source projects wouldn’t be doing so. It would similarly be a fair question to ask how many open-source products could be developed with practically no incentive, but they are, so for the people who develop them, there is incentive enough. If one wishes to see a project succeed to the point that they donate their time, the incentive for finding bugs is there too. It’s just not a perfect process– nothing is, and more QA would always be a good thing, whether we’re talking about Linux, Windows, or anything else.

For some open-source developers, it is money that motivates them, at least in part. The perception some people have of open-source software is that it is developed wholly by hobbyists and others who donate their time. That’s true for some projects, but there’s a lot of corporate money going into open-source development too. For the professional developers within open source, it’s a job, just as it would be if they worked for Microsoft. It’s just that the code is available to the public instead of being a closely-guarded secret.

Google Chromium, as the most visible example, is developed by Google for its own corporate interests. It’s open source, but that doesn’t mean that the code gatekeepers are under any obligation to do anything differently than what they would do if it were proprietary, closed code, with the obvious exception of making that code available under an open-source license. You can suggest changes to the Chromium devs, but they are not required to listen, and there’s no illusion that there is any democracy going on.

Even with that said, Chromium is still free and open source, since the code is available under permissive licenses for any purpose a person may wish to use it. “FOSS” does not require community involvement or any pretense of developing for the public good, however one defines that.

I, for one, never thought that the open-source method of QA was obviously superior to that of Microsoft or anyone else. Maybe it is, maybe it’s not. I don’t have any statistics that would allow me to make such a declaration.

The proof of the pudding is in the eating, and despite what a lot of my Linux-loving compatriots may say, MS has turned out a lot of good quality products using its closed-source methods. XP and 7 were gems, and 8.1 is too once you strip off all of the UI silliness. Windows 10 could be too if MS would just take to heart one simple concept: The purpose of an OS is to enable the hardware to run applications that perform the tasks chosen by the owner of that hardware, and in doing so, to serve (exclusively) the interests of that owner in a manner chosen by himself. Just that, nothing more or less.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Yes, there are excellent reasons why people who are good at identifying what is needed, but as yet unfulfilled, and also good at coding, may be motivated to whip up something to fulfill that need. Those people do not need to expect to be paid right away for their efforts. The payoff will come, if and when it comes, especially for the beginners in this game, in the form of prestige, of lucrative contracts, of good jobs, etc. For those some struggling to become recognized in the larger, professional coding world, for example, writing software and making freely available the source file is not all that different as newly-hatched violinists posting videos in YouTube of themselves performing excerpts of some tricky violin music. Sometimes, they are actually seen and heard doing it right, and then, with some of the good luck that is always needed…

On a more personal note: here, for a change, I am a centrist. Hence my quoting of Simenon.

And thanks, Ascaris, for writing the “pudding” saying correctly; “The proof is in the pudding” as it is very often misquoted, is just pure nonsense.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Well, this is a serious worry.

Is what has to be a very recent fix, put in one of the two last-week announced security updates: the first one, number 2020-001, or the second one, 2020-002, that came up in PK’s KB thread on macOS (and the various “i” device OS updates), a couple of days later? Nathan has not mentioned that second patch yet (if my memory serves).

I have received and installed the first one, but, as I write this, still have not received the latter.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

@oscarCP – Go here and scroll down to sudo. Apparently the 2020-001 security updates have patched the sudo issue for High Sierra, Mojave, and Catalina (CVE-2019-18634).

https://support.apple.com/en-us/HT210919

1 user thanked author for this post.

OscarCP

Reply | Quote

So now what remains to be seen is what happens with Linux. Or, more precisely and as far as I am concerned, with Debian and to all those distros downstream from it; particularly those in the popular ‘Ubuntu’ chain of forking paths. Because I now have Mint in my PC, alongside Win 7, you know? And it is supposed to be my one door from there to “safe browsing.”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Ubuntu issued a patch today for the sudo issue:

https://usn.ubuntu.com/

Presumably users of Ubuntu and it’s downstream distros (among which is Mint) will be offered the patch through Software Updater.

3 users thanked author for this post.

Charlie, jburk07, OscarCP

Reply | Quote

My computers running Mint 19.2 are being offered the sudo patch for CVE-2019-18634.

Linux Mint Cinnamon 21.1
Group A:
Win 10 Pro x64 v22H2 Ivy Bridge, dual boot with Linux
Win l0 Pro x64 v22H2 Haswell, dual boot with Linux
Win7 Pro x64 SP1 Haswell, 0patch Pro, dual boot with Linux,offline
Win7 Home Premium x64 SP1 Ivy Bridge, 0patch Pro,offline

3 users thanked author for this post.

Charlie, OscarCP, DrBonzo

Reply | Quote

[Alex5723]

OscarCP wrote:

In the meantime: Linux is the premier OS in server farms that take care of important data bases belonging to governments, universities, local, provincial, national and international organizations.

In the meantime “Linux” has 90%+ OS market share. From data centers, web servers to Android, iOS, routers, smart TVs, switches, receivers, set-top boxes, super computers…

• This reply was modified 5 years, 3 months ago by Alex5723.

1 user thanked author for this post.

OscarCP

Reply | Quote

Well… some of that is “UNIX”, or even “BSD”, but OK…

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I got my sudo patch last night for my Linux Mint 19.1.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

3 users thanked author for this post.

Bill C., jburk07, OscarCP

Reply | Quote

Patch received 2/5/2020 for Mint 19.3 Cinnamon.

1 user thanked author for this post.

OscarCP

Reply | Quote