CVE-2025-64517
📋 TL;DR
sudo-rs versions 0.2.5 through 0.2.9 have an authentication bypass vulnerability when using targetpw or rootpw options. The bug incorrectly records the invoking user's UID instead of the authenticated user's UID in timestamp files, allowing users who know one password to run commands as any account their sudo policy permits without additional authentication. This affects systems using sudo-rs with targetpw or rootpw configurations enabled.
💻 Affected Systems
- sudo-rs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
A privileged user who knows one account password could gain unauthorized access to all accounts their sudo policy allows, potentially leading to full system compromise and privilege escalation across multiple accounts.
Likely Case
Users with sudo privileges who know one password can bypass authentication requirements for other accounts they're authorized to access via sudo, violating intended security boundaries.
If Mitigated
With proper monitoring and least privilege principles, impact is limited to authorized users gaining unauthorized access to specific accounts they shouldn't have access to.
🎯 Exploit Status
Exploitation requires local user access, sudo privileges, and knowledge of at least one password for an account the user is authorized to use via sudo.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.10
Vendor Advisory: https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q
Restart Required: No
Instructions:
1. Update sudo-rs to version 0.2.10 or later using your package manager. 2. If compiling from source, download and install version 0.2.10 from GitHub releases. 3. No service restart required, but users should log out and back in to clear existing timestamp files.
🔧 Temporary Workarounds
Disable targetpw/rootpw options
linuxRemove or comment out Defaults targetpw and Defaults rootpw lines from sudo configuration files
sudo sed -i 's/^Defaults targetpw/#Defaults targetpw/' /etc/sudoers
sudo sed -i 's/^Defaults rootpw/#Defaults rootpw/' /etc/sudoers
Clear existing timestamp files
linuxRemove all sudo timestamp files to force fresh authentication
sudo rm -f /var/run/sudo/ts/*
🧯 If You Can't Patch
- Disable targetpw and rootpw options in sudo configuration
- Implement strict monitoring of sudo usage and authentication logs
🔍 How to Verify
Check if Vulnerable:
Check sudo-rs version and if targetpw/rootpw options are enabled: sudo --version | grep sudo-rs && grep -E '^Defaults (targetpw|rootpw)' /etc/sudoers /etc/sudoers.d/* 2>/dev/nullCheck Version:
sudo --version | grep sudo-rsVerify Fix Applied:
Verify sudo-rs version is 0.2.10 or later: sudo --version | grep 'sudo-rs 0.2.1[0-9]'📡 Detection & Monitoring
Log Indicators:
- Multiple sudo authentications from same user for different target accounts within timestamp window
- Sudo usage without password prompts when targetpw/rootpw is configured
Network Indicators:
- None - this is a local authentication bypass
SIEM Query:
source="sudo.log" AND ("authentication failure" OR "incorrect password attempts") | stats count by user, target_user