Two Critical Sudo Vulnerabilities
CVE-2025-32463: Sudo Local Privilege Escalation via Malicious /etc/nsswitch.conf in --chroot
Summary:
CVE-2025-32463 is a critical local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It allows a local unprivileged user to gain root access by exploiting how Sudo handles the /etc/nsswitch.conf
file when invoked with the --chroot
option. Specifically, Sudo mistakenly uses /etc/nsswitch.conf
from a user-controlled directory inside the chroot environment, leading to command injection and root access escalation.
Severity:
- CVSS v3 base score: 9.3 (Critical)
- Attack vector: Local
- Privileges required: None
- User interaction: None
- Impact: Full confidentiality, integrity, and availability compromise.
How it works:
When Sudo is run with the --chroot
option, it attempts to read /etc/nsswitch.conf
inside the chroot directory to configure name service switches. However, if an attacker can control the chroot directory contents, they can supply a malicious /etc/nsswitch.conf
file. This crafted file causes Sudo to execute arbitrary commands as root, effectively bypassing all privilege restrictions.
Sample scenario:
- A local attacker creates a directory they control and places a malicious
/etc/nsswitch.conf
inside it. - They execute Sudo with the
--chroot
option pointing to that directory. - Sudo reads the attacker-controlled
/etc/nsswitch.conf
and executes embedded commands with root privileges. - The attacker gains full root access on the system.
Mitigation:
- Upgrade Sudo to version 1.9.17p1 or later where this vulnerability is fixed.
- Avoid using the
--chroot
option with untrusted directories. - Apply vendor patches promptly (Ubuntu, SUSE, Amazon Linux advisories available).
CVE-2025-32462: Sudo Host-Based Command Execution on Unintended Machines
Summary:
CVE-2025-32462 is a high-severity local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It arises when the sudoers configuration file specifies a host that is neither the current host nor the special keyword ALL
. In this case, users listed in sudoers can execute commands on unintended machines, bypassing host restrictions.
Severity:
- CVSS v3 base score: ranges from 2.8 (low) to 6 (medium) depending on context
- Impact: Unauthorized command execution on unintended hosts, potential privilege escalation.
How it works:
- The sudoers file can restrict command execution based on the hostname using the
Host_Alias
orRunas_Alias
directives. - If a host is specified that does not match the current machine or
ALL
, Sudo incorrectly allows users to run commands as if they were on that host. - This can lead to executing privileged commands on machines that should be off-limits.
Sample scenario:
- A system administrator configures sudoers with a host restriction, e.g.,
Host_Alias WEB_SERVERS = web01
but the current machine isweb02
. - A user listed under that host alias can still run commands on
web01
or effectively bypass restrictions. - This could allow unauthorized access or command execution on other hosts in a multi-host environment.
Mitigation:
- Update Sudo to version 1.9.17p1 or later where the issue is fixed.
- Review and correct sudoers files to avoid specifying hosts other than the current host or
ALL
until patched. - Use
sudo visudo
to safely edit sudoers and verify host restrictions.
Summary Table
CVE ID | Vulnerability Type | Affected Versions | Impact | Exploitation Scenario | Fix Available |
---|---|---|---|---|---|
CVE-2025-32463 | Local privilege escalation via malicious /etc/nsswitch.conf with --chroot |
Sudo < 1.9.17p1 | Full root access | Attacker controls chroot dir with malicious config | Yes, update to 1.9.17p1 |
CVE-2025-32462 | Host-based command execution bypass | Sudo < 1.9.17p1 | Execute commands on unintended hosts | Misconfigured sudoers with incorrect host specs | Yes, update to 1.9.17p1 |
Additional Notes
- Both vulnerabilities highlight the importance of keeping Sudo updated, especially in multi-user or multi-host environments.
- CVE-2025-32462 is a long-standing vulnerability (over 12 years old) recently rediscovered and confirmed on many Unix-like systems including Linux and macOS.
- CVE-2025-32463 is more severe due to its ability to gain root without any privileges or user interaction.
If you manage systems using Sudo, immediately update to version 1.9.17p1 or later and audit your sudoers configurations to mitigate these critical vulnerabilities.