CVE-2019-18634
7.8 HIGH
📋 TL;DR
This CVE describes a stack-based buffer overflow vulnerability in Sudo when the pwfeedback option is enabled. Attackers can exploit this by providing a long string to sudo's stdin, potentially allowing privilege escalation to root. The vulnerability primarily affects Linux Mint and elementary OS users where pwfeedback is enabled by default, but any system with this option enabled is vulnerable.
💻 Affected Systems
Products:
- sudo
Versions: All versions before 1.8.26
Operating Systems: Linux Mint, elementary OS, Any Linux/Unix with sudo and pwfeedback enabled
Default Config Vulnerable:
✅ No
Notes: Only vulnerable when pwfeedback option is enabled in /etc/sudoers. This is default in Linux Mint and elementary OS but not in upstream sudo or most other distributions.
📦 What is this software?
Sudo by Sudo Project
⚠️ Risk & Real-World Impact
Worst Case
Full root privilege escalation leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain root access on affected systems.
If Mitigated
No impact if pwfeedback is disabled or systems are patched.
🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring access to a user account.
🏢 Internal Only: HIGH - Any compromised user account on affected systems can potentially escalate to root.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
✅ No
Complexity:
LOW
Exploit requires local user access and pwfeedback enabled. Multiple public exploits exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: sudo 1.8.26 and later
Vendor Advisory: https://www.sudo.ws/security/advisories/pwfeedback_adv.html
Restart Required: No
Instructions:
1. Update sudo package using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade sudo. 3. For RHEL/CentOS: sudo yum update sudo. 4. For Arch: sudo pacman -Syu sudo. 5. Verify version with sudo --version.
🔧 Temporary Workarounds
Disable pwfeedback
linuxRemove or comment out the 'pwfeedback' option from /etc/sudoers
sudo visudo
# Remove or comment out any line containing 'pwfeedback'
🧯 If You Can't Patch
- Disable pwfeedback option in /etc/sudoers immediately
- Restrict sudo access to only necessary users and commands
🔍 How to Verify
Check if Vulnerable:
Check if pwfeedback is enabled: sudo grep -r 'pwfeedback' /etc/sudoers /etc/sudoers.d/ 2>/dev/nullCheck Version:
sudo --version | head -1Verify Fix Applied:
Check sudo version: sudo --version | grep 'Sudo version' and ensure it's 1.8.26 or higher📡 Detection & Monitoring
Log Indicators:
- Failed sudo attempts with unusually long input
- Successful privilege escalation from non-privileged users
Network Indicators:
- Not applicable - local exploit
SIEM Query:
source="sudo" AND (event="authentication failure" AND input_length>1000) OR (event="privilege escalation" AND user_change="root")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html
- http://packetstormsecurity.com/files/156174/Slackware-Security-Advisory-sudo-Updates.html
- http://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html
- http://seclists.org/fulldisclosure/2020/Jan/40
- http://www.openwall.com/lists/oss-security/2020/01/30/6
- http://www.openwall.com/lists/oss-security/2020/01/31/1
- http://www.openwall.com/lists/oss-security/2020/02/05/2
- http://www.openwall.com/lists/oss-security/2020/02/05/5
- https://access.redhat.com/errata/RHSA-2020:0487
- https://access.redhat.com/errata/RHSA-2020:0509
- https://access.redhat.com/errata/RHSA-2020:0540
- https://access.redhat.com/errata/RHSA-2020:0726
- https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
- https://seclists.org/bugtraq/2020/Feb/2
- https://seclists.org/bugtraq/2020/Feb/3
- https://seclists.org/bugtraq/2020/Jan/44
- https://security.gentoo.org/glsa/202003-12
- https://security.netapp.com/advisory/ntap-20200210-0001/
- https://support.apple.com/kb/HT210919
- https://usn.ubuntu.com/4263-1/
- https://usn.ubuntu.com/4263-2/
- https://www.debian.org/security/2020/dsa-4614
- https://www.sudo.ws/alerts/pwfeedback.html
- https://www.sudo.ws/security.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html
- http://packetstormsecurity.com/files/156174/Slackware-Security-Advisory-sudo-Updates.html
- http://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html
- http://seclists.org/fulldisclosure/2020/Jan/40
- http://www.openwall.com/lists/oss-security/2020/01/30/6
- http://www.openwall.com/lists/oss-security/2020/01/31/1
- http://www.openwall.com/lists/oss-security/2020/02/05/2
- http://www.openwall.com/lists/oss-security/2020/02/05/5
- https://access.redhat.com/errata/RHSA-2020:0487
- https://access.redhat.com/errata/RHSA-2020:0509
- https://access.redhat.com/errata/RHSA-2020:0540
- https://access.redhat.com/errata/RHSA-2020:0726
- https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
- https://seclists.org/bugtraq/2020/Feb/2
- https://seclists.org/bugtraq/2020/Feb/3
- https://seclists.org/bugtraq/2020/Jan/44
- https://security.gentoo.org/glsa/202003-12
- https://security.netapp.com/advisory/ntap-20200210-0001/
- https://support.apple.com/kb/HT210919
- https://usn.ubuntu.com/4263-1/
- https://usn.ubuntu.com/4263-2/
- https://www.debian.org/security/2020/dsa-4614
- https://www.sudo.ws/alerts/pwfeedback.html
- https://www.sudo.ws/security.html
