Two Critical Sudo Vulnerabilities

CVE-2025-32463: Sudo Local Privilege Escalation via Malicious /etc/nsswitch.conf in --chroot

Summary:
CVE-2025-32463 is a critical local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It allows a local unprivileged user to gain root access by exploiting how Sudo handles the /etc/nsswitch.conf file when invoked with the --chroot option. Specifically, Sudo mistakenly uses /etc/nsswitch.conf from a user-controlled directory inside the chroot environment, leading to command injection and root access escalation.

Severity:

CVSS v3 base score: 9.3 (Critical)
Attack vector: Local
Privileges required: None
User interaction: None
Impact: Full confidentiality, integrity, and availability compromise.

How it works:
When Sudo is run with the --chroot option, it attempts to read /etc/nsswitch.conf inside the chroot directory to configure name service switches. However, if an attacker can control the chroot directory contents, they can supply a malicious /etc/nsswitch.conf file. This crafted file causes Sudo to execute arbitrary commands as root, effectively bypassing all privilege restrictions.

Sample scenario:

A local attacker creates a directory they control and places a malicious /etc/nsswitch.conf inside it.
They execute Sudo with the --chroot option pointing to that directory.
Sudo reads the attacker-controlled /etc/nsswitch.conf and executes embedded commands with root privileges.
The attacker gains full root access on the system.

Mitigation:

Upgrade Sudo to version 1.9.17p1 or later where this vulnerability is fixed.
Avoid using the --chroot option with untrusted directories.
Apply vendor patches promptly (Ubuntu, SUSE, Amazon Linux advisories available).

CVE-2025-32462: Sudo Host-Based Command Execution on Unintended Machines

Summary:
CVE-2025-32462 is a high-severity local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It arises when the sudoers configuration file specifies a host that is neither the current host nor the special keyword ALL. In this case, users listed in sudoers can execute commands on unintended machines, bypassing host restrictions.

Severity:

CVSS v3 base score: ranges from 2.8 (low) to 6 (medium) depending on context
Impact: Unauthorized command execution on unintended hosts, potential privilege escalation.

How it works:

The sudoers file can restrict command execution based on the hostname using the Host_Alias or Runas_Alias directives.
If a host is specified that does not match the current machine or ALL, Sudo incorrectly allows users to run commands as if they were on that host.
This can lead to executing privileged commands on machines that should be off-limits.

Sample scenario:

A system administrator configures sudoers with a host restriction, e.g., Host_Alias WEB_SERVERS = web01 but the current machine is web02.
A user listed under that host alias can still run commands on web01 or effectively bypass restrictions.
This could allow unauthorized access or command execution on other hosts in a multi-host environment.

Mitigation:

Update Sudo to version 1.9.17p1 or later where the issue is fixed.
Review and correct sudoers files to avoid specifying hosts other than the current host or ALL until patched.
Use sudo visudo to safely edit sudoers and verify host restrictions.

Summary Table

CVE ID	Vulnerability Type	Affected Versions	Impact	Exploitation Scenario	Fix Available
CVE-2025-32463	Local privilege escalation via malicious `/etc/nsswitch.conf` with `--chroot`	Sudo < 1.9.17p1	Full root access	Attacker controls chroot dir with malicious config	Yes, update to 1.9.17p1
CVE-2025-32462	Host-based command execution bypass	Sudo < 1.9.17p1	Execute commands on unintended hosts	Misconfigured sudoers with incorrect host specs	Yes, update to 1.9.17p1

Additional Notes

Both vulnerabilities highlight the importance of keeping Sudo updated, especially in multi-user or multi-host environments.
CVE-2025-32462 is a long-standing vulnerability (over 12 years old) recently rediscovered and confirmed on many Unix-like systems including Linux and macOS.
CVE-2025-32463 is more severe due to its ability to gain root without any privileges or user interaction.

If you manage systems using Sudo, immediately update to version 1.9.17p1 or later and audit your sudoers configurations to mitigate these critical vulnerabilities.

Trending

Critical Security Vulnerabilities in Dell ControlVault3 Firmware

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

2025 Vulnerabilities in Real Estate Software

Critical CSRF Vulnerability in Siemens SIMATIC S7-1200 PLCs: Exploitation and Defense

Remote Code Execution in EV Charging Stations

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

Critical Sudo Vulnerabilities

Two Critical Sudo Vulnerabilities

CVE-2025-32463: Sudo Local Privilege Escalation via Malicious /etc/nsswitch.conf in --chroot

CVE-2025-32462: Sudo Host-Based Command Execution on Unintended Machines

Summary Table

Additional Notes

Post a Comment

İletişim Formu