Critical Sudo Vulnerabilities

  Two Critical Sudo Vulnerabilities 

CVE-2025-32463: Sudo Local Privilege Escalation via Malicious /etc/nsswitch.conf in --chroot

Summary: 
CVE-2025-32463 is a critical local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It allows a local unprivileged user to gain root access by exploiting how Sudo handles the /etc/nsswitch.conf file when invoked with the --chroot option. Specifically, Sudo mistakenly uses /etc/nsswitch.conf from a user-controlled directory inside the chroot environment, leading to command injection and root access escalation. 

Severity:

  • CVSS v3 base score: 9.3 (Critical) 
  • Attack vector: Local
  • Privileges required: None
  • User interaction: None
  • Impact: Full confidentiality, integrity, and availability compromise.

How it works:
When Sudo is run with the --chroot option, it attempts to read /etc/nsswitch.conf inside the chroot directory to configure name service switches. However, if an attacker can control the chroot directory contents, they can supply a malicious /etc/nsswitch.conf file. This crafted file causes Sudo to execute arbitrary commands as root, effectively bypassing all privilege restrictions.

Sample scenario: 

  1. A local attacker creates a directory they control and places a malicious /etc/nsswitch.conf inside it.
  2. They execute Sudo with the --chroot option pointing to that directory.
  3. Sudo reads the attacker-controlled /etc/nsswitch.conf and executes embedded commands with root privileges.
  4. The attacker gains full root access on the system.

Mitigation:

  • Upgrade Sudo to version 1.9.17p1 or later where this vulnerability is fixed.
  • Avoid using the --chroot option with untrusted directories.
  • Apply vendor patches promptly (Ubuntu, SUSE, Amazon Linux advisories available).

CVE-2025-32462: Sudo Host-Based Command Execution on Unintended Machines 

Summary: 
CVE-2025-32462 is a high-severity local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It arises when the sudoers configuration file specifies a host that is neither the current host nor the special keyword ALL. In this case, users listed in sudoers can execute commands on unintended machines, bypassing host restrictions.

Severity:

  • CVSS v3 base score: ranges from 2.8 (low) to 6 (medium) depending on context
  • Impact: Unauthorized command execution on unintended hosts, potential privilege escalation.

How it works:

  • The sudoers file can restrict command execution based on the hostname using the Host_Alias or Runas_Alias directives.
  • If a host is specified that does not match the current machine or ALL, Sudo incorrectly allows users to run commands as if they were on that host.
  • This can lead to executing privileged commands on machines that should be off-limits.

Sample scenario: 

  1. A system administrator configures sudoers with a host restriction, e.g., Host_Alias WEB_SERVERS = web01 but the current machine is web02.
  2. A user listed under that host alias can still run commands on web01 or effectively bypass restrictions.
  3. This could allow unauthorized access or command execution on other hosts in a multi-host environment.

Mitigation:

  • Update Sudo to version 1.9.17p1 or later where the issue is fixed.
  • Review and correct sudoers files to avoid specifying hosts other than the current host or ALL until patched.
  • Use sudo visudo to safely edit sudoers and verify host restrictions.

Summary Table

CVE ID Vulnerability Type Affected Versions Impact Exploitation Scenario Fix Available
CVE-2025-32463 Local privilege escalation via malicious /etc/nsswitch.conf with --chroot Sudo < 1.9.17p1 Full root access Attacker controls chroot dir with malicious config Yes, update to 1.9.17p1
CVE-2025-32462 Host-based command execution bypass Sudo < 1.9.17p1 Execute commands on unintended hosts Misconfigured sudoers with incorrect host specs Yes, update to 1.9.17p1

Additional Notes 

  • Both vulnerabilities highlight the importance of keeping Sudo updated, especially in multi-user or multi-host environments.
  • CVE-2025-32462 is a long-standing vulnerability (over 12 years old) recently rediscovered and confirmed on many Unix-like systems including Linux and macOS.
  • CVE-2025-32463 is more severe due to its ability to gain root without any privileges or user interaction.

If you manage systems using Sudo, immediately update to version 1.9.17p1 or later and audit your sudoers configurations to mitigate these critical vulnerabilities.



Crow

physics, information technologies, author, educator

Post a Comment

Hello, share your thoughts with us.

Previous Post Next Post

İletişim Formu