Security researchers over at Apple security have found a new flaw in the Linux operating system, which allows users to run root commands even when their account doesn’t have root privileges.
The flaw was found in Sudo, which is short for “superuser do”. It’s a system command which allows users to run applications with someone else’s privileges. Even though this is not the same as having root access, a Sudoer can run commands as the root user, thanks to the bug.
"This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification," the Sudo developers say.
According to The Register, the vulnerability is “more interesting than scary”, given the fact that it requires the system to be set up in a non-standard way. “In other words, Linux computers are not vulnerable by default,” it says.
Sudo is one of the most important, powerful, and commonly used utilities in Linux, says The Hacker News, adding that it comes as a core command “installed on almost every UNIX and Linux-based operating system”.
This security vulnerability was assigned the name CVE-2019-14287.
Luckily enough, the vulnerability has already been patched, so all Linux users are advised to upgrade to version 1.8.28, released yesterday.