Walt Mankowski via plug on 15 Oct 2019 10:23:01 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Sudo flaw

On Mon, Oct 14, 2019 at 11:59:14PM -0400, prushik--- via plug wrote:
> >On 10/14/19 7:58 PM, Joe Rosato via plug wrote:
> >> The Hacker News (@TheHackersNews) tweeted at 2:32 PM on Mon, Oct 14,
> >2019:
> >> 🔥 CVE-2019-14287
> >> 
> >> A flaw in Sudo—that comes installed on almost every #Linux OS—could
> >let 
> >> users run commands as "root" even when they're restricted.
> >> 
> >> Details ➤ https://t.co/NeFvITBR73
> >> 
> >> How? Just by specifying user ID "-1" or "4294967295" in the command 
> >> instead of the root. 
> Oh goodness, better upgrade sudo as soon as possible!
> oh, but wait, I don't use sudo to grant access to all users except root, so this doesn't apply to me... or anybody at all for that matter, because it doesn't make any sense to ever configure sudoers that way.
> I though CVE meant *common* vulnerability and exposure.
> Has anybody ever _even once_ written a sudoers file like this? If not it seems more like misconfiguration than a vulnerability. a sudo bug, for sure, but the exploitable setup doesn't seem at all realistic.

It's definitely much more of an edge case than I originally thought
after skimming the beginning of the article, that's for sure. That
said, I did go and install the update.


Attachment: signature.asc
Description: PGP signature

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug