Summary
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. The flaw can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the flaw. Researchers have developed working exploits against Ubuntu, Debian, and Fedora Linux distributions. Other UNIX-based operating systems and distributions are also likely to be exploitable. [1] [2]
Impact
Vulnerable
-
Sudo versions 1.8.2 through 1.8.31p2
-
Sudo versions 1.9.0 through 1.9.5p1
Recommendations
-
Update to sudo version 1.9.5p2 or later or install a supported security patch from your operating system vendor.
-
ISO has notified the IST UNIX Team of this vulnerability and they are assessing the impact to IST-managed systems. Customers should expect patching plans to be relayed shortly.