Post

Critical Sudo Vulnerabilities Allow Local Privilege Escalation

Critical Sudo Vulnerabilities Let Local Users Gain Root Access on Linux, Impacting Major Distros

Posted
By Manthan R M
4 min read
Critical Sudo Vulnerabilities Allow Local Privilege Escalation

Overview

Two critical security flaws have been discovered in the Sudo command-line utility for Linux and Unix-like operating systems. These vulnerabilities could allow local attackers to escalate their privileges to root on affected systems, impacting a wide range of major Linux distributions.

Vulnerability Details

CVE-2025-32462: Host Option Privilege Escalation

  • CVSS Score: 2.8 (Low)
  • Affected Versions: Sudo before 1.9.17p1
  • Description:
    When the sudoers file specifies a host that is neither the current host nor ALL, listed users can execute commands on unintended machines. This is due to improper handling of the -h (host) option, which was introduced in September 2013.
  • Technical Impact:
    • Allows users to run commands permitted for a remote host on the local machine.
    • Primarily affects environments using a shared sudoers file distributed across multiple machines or LDAP-based sudoers (including SSSD).
  • Example Scenario:
    If a user is allowed to run certain commands on hostA, they may be able to execute those commands on hostB by specifying the host option, even if not intended.

CVE-2025-32463: Chroot Option Local Root Exploit

  • CVSS Score: 9.3 (Critical)
  • Affected Versions: Sudo before 1.9.17p1
  • Description:
    The -R (chroot) option allows local users to obtain root access because Sudo loads /etc/nsswitch.conf from a user-controlled directory.
  • Technical Impact:
    • Attackers can create a malicious /etc/nsswitch.conf in a directory they control and use the --chroot option to trick Sudo into loading arbitrary shared libraries.
    • No specific sudoers rules are required; any local unprivileged user can exploit this if a vulnerable Sudo version is installed.
  • Example Exploit Steps:
    1. Create a directory structure with a crafted /etc/nsswitch.conf.
    2. Use sudo -R <malicious_dir> <command> to escalate privileges.

About Sudo

Sudo is a widely used command-line tool that allows low-privileged users to execute commands as another user, typically the superuser (root). Its configuration is managed via the /etc/sudoers file, which defines:

  • Who can run what commands
  • As which users
  • On which machines
  • Additional controls such as password requirements

Discovery and Disclosure

  • Researcher: Rich Mirch (Stratascale)
  • Timeline:
    • Vulnerabilities reported to the Sudo project on April 1, 2025.
    • Coordinated disclosure with major Linux vendors and security mailing lists.
    • Security patches released in Sudo version 1.9.17p1 (late June 2025).
  • Project Maintainer: Todd C. Miller
  • Disclosure Process:
    The vulnerabilities were responsibly disclosed following industry best practices, including embargo periods to allow vendors to prepare and distribute patches before public announcement. Security advisories were published by both the Sudo project and affected distributions.

Affected Distributions and Impact

  • CVE-2025-32462:
    • Distributions: AlmaLinux 8/9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, Ubuntu
    • Impact: Primarily affects environments using a shared sudoers file (e.g., via NFS or LDAP/SSSD). Systems with host-specific sudoers rules are at risk of unintended privilege assignments.
  • CVE-2025-32463:
    • Distributions: Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE, Ubuntu
    • Impact: Any system running a vulnerable Sudo version is at risk, regardless of sudoers configuration. Exploitation does not require special sudoers privileges—any local user can potentially escalate to root.

Technical Mitigation and Recommendations

  • Upgrade Sudo:
    • Immediately update Sudo to version 1.9.17p1 or later using your distribution’s package manager:
      1
2
3
4
5
6
7
8

      # Debian/Ubuntu
sudo apt update && sudo apt install sudo

# Red Hat/CentOS/Fedora
sudo dnf update sudo

# Alpine
sudo apk upgrade sudo
  • Audit Sudoers Configuration:
    • Review all sudoers files for use of the Host_Alias feature and the -h (host) option.
    • For LDAP/SSSD environments, ensure host-based rules are strictly necessary and correctly scoped.
    • Search for scripts or automation that invoke sudo with -h or -R options:
      1

      grep -r 'sudo .*-[hR]' /etc /usr/local/bin /home
  • Restrict Chroot Usage:
    • Limit or disable the use of the -R (chroot) option in sudoers policies where possible.
    • Monitor for suspicious use of sudo -R in system logs.
  • Monitor Vendor Advisories:
    • Subscribe to your distribution’s security mailing lists and apply all relevant security updates promptly.
    • Review vendor-specific advisories for additional mitigations or backported patches.

Additional Hardening Steps

  • Filesystem Protections:
    • Ensure that unprivileged users cannot create arbitrary directory structures that could be used for chroot-based attacks.
    • Use filesystem permissions and mount options (e.g., nodev, nosuid, noexec) to limit exploitation vectors.
  • System Monitoring:
    • Implement intrusion detection and log monitoring for unusual sudo usage patterns.
    • Regularly scan for unauthorized changes to critical configuration files such as /etc/nsswitch.conf.

Prompt patching and configuration review are essential to prevent exploitation of these vulnerabilities.

Technical References

Users are strongly advised to update their systems and review their sudoers configurations to mitigate these critical vulnerabilities.

NEWS, ISSUE
Linux Privilege-Escalation Vulnerability CVE Security Cybersecurity Exploitation Open Source
This post is licensed under CC BY 4.0 by the author.