prushik--- via plug on 14 Oct 2019 20:59:27 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Sudo flaw

>On 10/14/19 7:58 PM, Joe Rosato via plug wrote:
>> The Hacker News (@TheHackersNews) tweeted at 2:32 PM on Mon, Oct 14,
>> 🔥 CVE-2019-14287
>> A flaw in Sudo—that comes installed on almost every #Linux OS—could
>> users run commands as "root" even when they're restricted.
>> Details ➤
>> How? Just by specifying user ID "-1" or "4294967295" in the command 
>> instead of the root. 

Oh goodness, better upgrade sudo as soon as possible!
oh, but wait, I don't use sudo to grant access to all users except root, so this doesn't apply to me... or anybody at all for that matter, because it doesn't make any sense to ever configure sudoers that way.
I though CVE meant *common* vulnerability and exposure.
Has anybody ever _even once_ written a sudoers file like this? If not it seems more like misconfiguration than a vulnerability. a sudo bug, for sure, but the exploitable setup doesn't seem at all realistic.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --