Linux Users Urged to Patch Critical Sudo CVE - Infosecurity Magazine (www.infosecurity-magazine.com)
from kid@sh.itjust.works to cybersecurity@sh.itjust.works on 04 Jul 12:32
https://sh.itjust.works/post/41521897

#cybersecurity

threaded - newest

henfredemars@infosec.pub on 04 Jul 13:06 collapse

“The issue can only be leveraged with specific configurations using the Host or Host_Alias directives, which are commonly used in enterprise environments,” Stratascale warned.

“The issue arises from allowing an unprivileged user to invoke chroot() on a writable, untrusted path under their control. Sudo calls chroot() several times, regardless of whether the user has corresponding Sudo rule configured,” Stratascale explained.

Although it’s classed only as a low-severity bug, users are urged to update to Sudo 1.9.17p1 or later to mitigate the issue.