The ‘sudo’ keyword in both Linux and Unix enabled users to carry on specific commands with a special-access advantage that cannot otherwise function on a given machine by a user with a reduced level of clearance.
To no surprise, it is one of the most significant commands in the entire Linux and Unix ecosystem. This command can greatly compromise the device’s security if it is exploited.
One such bug was found by Joe Vennix from Apple Information Security. The exploit has been dubbed ‘CVE-2019-14287’ in the Common Vulnerabilities and Exposure database.
The Bug Enabled Access to Restricted Users
As we mentioned above, the keyword ‘sudo’ allows you to run commands that cannot otherwise be performed by normal users on the machine. With CVE-2019-14287, you could avoid this by simply changing the user ID to -1 or 4294967295 with the ‘sudo’ command. That means that by impersonating their identity, any user could run limited commands on the machine.
This was only doable because the command which wrongly interprets the user ID -1, or its unknown equivalent 4294967295, as 0, which is always the user ID of the root user. To simplify things a bit – both ‘sudo -u#-1 id -u’ and ‘sudo -u#4294967295 id -u’ turned out 0 because the ‘sudo’ command itself functions as user ID 0.
Therefore, there is no change appearing when sudo attempts to change to user IS -1. From there, any commands that are only limited to be executed by root clearance users can be performed by any user that runs the commands we mentioned above.
Fortunately, only sudoers entries with the ‘ALL’ keyword in the Runas mark were impacted. For instance, entries such as ‘myhost bob = (ALL, !root)/usr/bin/vi’ were affected while others, such as ‘myhost alice = /usr/bin/id’ were not.
In addition, the vulnerability has been fixed in Sudo version 1.8.28, where the above-mentioned command now treats ‘an ID of -1 as invalid since that means ‘no change.’ Users should, therefore, consider downloading the available updates on affected machines to patch against the bug.