The 2019 Great Sudo Halloween ScareAnirban Banerjee
Sudo is considered one of the most powerful commands which are used in the Linux/Unix environment. This bug was found in the usage of this command which pointed to a major security vulnerability in the OS family. Sudo is a command that allows a user or a group of users to run or operate commands with extra privilege other than which is normally permitted to use. In short, using Sudo one can run root commands if he/she is permitted to use it. But with this newly found bug, a user who has access to use Sudo command but has no right to use root commands can still act as a root user using the same configuration. Sounds bad, right?
What does it do?
The bug which is officially christened as “CVE-2019-14287” in the Common Vulnerabilities and Exposure Database was analyzed by Joe Vennix of Apple Information Security. This flaw found in the usage of Sudo allows attackers to breach the security layers of Linux and access anything and everything in the system just like a system administrator. This is quite a nightmare scenario for Privileged Access. Sudo or ‘Superuser Do’ is the command which allows a user to run commands with different privileges, such as that of a system administrator being in the same working environment. This means that the one attacking the system or any person who is aware of this loophole in the OS can get root access and can run or execute anything in the system.
How does it work?
Any attacker who is aware of this flaw can easily get himself root access by specifying the user ID to be “-1” or “4294967295” which is an unsigned equivalent value of -1. Usage of these Ids will automatically direct the attacker to the value “0” which is equivalent to that of the root user. An edge case for this bug is that any user who is exploiting this flaw won’t be asked for a password. This is because the requested user ID is not present in the Linux users database.
The Linux versions with the “ALL “ function enabled in the RunAs specification will be affected by this bug. These files which are specified in the /etc /Sudoers / location make way for the attackers to sneak in and get access as a root user. The keyword “ALL” that is present in the default configuration of Linux, allows all the users in a specific group to execute or run any command as any valid user in the system.
One of the main security policies followed by Linux is their privilege separation. Any administrator can decide which user should run what command by configuring the Linux sudoers file. Because of this bug, any users who want to breach a system can easily bypass the so-called privilege separation policy set by the administrators. Even if a user has not been given permission to have root access but is permitted with certain Sudo commands, he/she can take over the entire system by adding one of the parameters u#-1 or -u#4294967295 along with Sudo.
Let’s consider a scenario:
alice myhost = (ALL, !root) /usr/bin/vi
Here, the user is allowed to run vi as any user but not as the root. suppose Alice is a user who is not provided with root access but is permitted to use certain other privileges using Sudo, using the above command or sudo -u#-1 vi, Alice can easily get root access.
As per the red blooded, bearded merlins of our security world, the buzz around this bug in the cyber-world is actually like adding insult to the injury. This flaw in the code, according to the experts, may not have caused any considerable breaches or attacks as the effect of this bug will be adverse only in those systems which are poorly configured. The unfortunate truth of the matter is “poorly configured systems” are actually the norm in the real world.
Though there’s no need to push the panic button as the bug is fixed in Sudo version 1.8.28, you can check whether there is any configuration flaw in your sudoer’s file by running the following command:
# grep -r ‘!\s*root\>’ /etc/sudoers /etc/sudoers.d/ | grep -v ‘^\s*#’
If this command produces no output, then your files are free from vulnerability. Else, you should give a shot in reconfiguring them.
Can things get easier..?
Of course! It can. A three-lettered word may bridge the gap between such chaotic bugs and an effective security provision – PAM. We’re talking about Privileged Access Management here. The usage of Sudo can be made more easy and secure with the help of PAM tools.
The above mentioned issue and more such problems are caused mostly in the privilege management area. You can restrict the usage of certain commands according to users with the help of Privileged Access Management tools and thereby you can block the unnecessary provision of privileges to users. Unless a user has been granted access to a certain command, he/she can’t use it and this will ensure that no user will have access to any kind of red buttons that may adversely affect your entire system.
The Linux shell is one of the most powerful Linux/GNU powered tool which is used by millions of people around the globe. Powerful applications like X are developed using shell. With a shell, the whole Linux system can be configured with utmost precision. Enabling shell restriction is a way of restricting users NOT to use a good number of commands in the shell. Limit shell access to the users using PAM and this will restrict users from changing their working directories and using some commands which may cause harm to the system security. This functionality provided by PAM will be of great use in an environment where a large number of users are accessing a shared system.
Enable time-based Sudo access using PAM. Rather than simply giving Sudo access to a user at a particular time of need, you can provide an expiry time for the granted access with the help of PAM. This will help in restricting the Sudo access to any users for more than the required time limit.
If you’re using Linux, I believe that you’ll be familiar with what Sudo can do and its power in granting access to the system files and data. Hence, extreme care must be taken while granting sudo access to a specific user. Manual granting of Sudo access can be underlined as one of the reasons for most issues related to Sudo. Then why not make this procedure automatic and secure? Is this possible? With PAM, this is a big YES. By providing automatic and controlled Sudo grants with the help of PAM, the occurrence of error in the Sudoers files can be minimized to a great extent.
It is not tough to find a one-stop solution that binds all the above-mentioned benefits and more. Onionid provides Privileged Access Management tools to safeguard and manage all your accounts in a fine-grained manner. If you do require any additional clarifications, please feel free to get in touch with us at https://www.onionid.com or in case you need information about a complete, lightweight, cost-effective PAM solution with great after-sales support, please connect with us at firstname.lastname@example.org.