Its a normal work day, and you hear your collegues talking about the new big vulnerability, how all the systems we manage are vulnerable and how we need to start working to get things fixed right now. The plan: find all vulnerable systems and remove the usecase that would lead to the vulnerability. I finally get a chance to go sit at my system and there I have it clearly visible, an email from management with a pretty bold subject URGENT IMPORTANT - MAJOR SUDO VULNERABILITY staring right at me. Barely do we get to see an email subject in all bold. I read through the email, and understand that there is a vulnerability in sudo, the tool that is so widely used to restrict root level access to specific users/commands almost universally.
The email contained a blog post: https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html which I read multiple times but was not able to realise clearly what exactly the vulnerability was. All that it seemed to summarise was that "Users with limited access can run commands as root that they are not supposed to". We had some such users on our boxes and tried to test the vulnerability on one of our boxes. The command to be run was sudo -u#-1 id -u
which should return 0 if the exploit was successfull. It was blocked by sudo. I tried it on another box, another user - same result.
"Is this vulnerability legit?" I thought to myself while reading through the lines. I finally decided to go to the actual vulnerability disclosure page to see if things are clearer there - https://www.sudo.ws/alerts/minus_1_uid.html. And I regret not going there first.
So what was the real vulnerability? Below is my paraphrasing on it:
If you use a sudo rule where you allow one user to run a command as any other user, except root, then that user will be able to bypass the "not running as root" restriction and run it as root too.
You are pretty much encouraged to read through the above link to get specifics. So, as we do not do this, we were not at all vulnerable. We use sudo to allow specific user to run specific commands as root. As restriction on commands in sudo works as expected, and as those commands are supposed to be run as root, we are not affected.
And still I was staring at an email by management that was going to make us spend endless hours "mitigating" this vulnerability that did not even affect us. Also rather than pointing to the proper link in the mail, we were seeing a link that does not do justice to the explanation of the vulnerability.
I shall still follow the email to the letter - atleast it is one step towards reducing our reliance on the root user to make things happen - when most of them can just be done without it.