The flaws
Cybersecurity researchers recently disclosed two security flaws in the Sudo command-line utility for Linux and Unix-like operating systems. These flaws could allow local attackers to escalate their privileges to root on vulnerable machines.
A brief description of the vulnerabilities follows:
- CVE-2025-32462 (CVSS score: 2.8) – Sudo versions prior to 1.9.17p1, when configured with a sudoers file that specifies a host that is neither the current host nor ALL, allow listed users to execute commands on unintended machines.
- CVE-2025-32463 (CVSS score: 9.3) – Sudo versions before 1.9.17p1 allow local users to gain root access by using a user-controlled directory containing the “/etc/nsswitch.conf” file in combination with the
--chroot
option.
Sudo, as a command-line tool, enables low-privileged users to run commands as another user, such as the superuser. By using sudo to execute commands, system administrators aim to enforce the principle of least privilege, allowing users to perform administrative tasks without requiring full elevated permissions.
How it works
Administrators configure Sudo through the ‘/etc/sudoers’ file, which defines who can run what commands as which users on which machines and may also specify conditions such as whether a user must enter a password for certain commands.
Stratascale researcher Rich Mirch, who discovered and reported the flaws, noted that CVE-2025-32462 had remained unnoticed for over 12 years. This vulnerability stems from Sudo’s “-h” (host) option, which enables listing a user’s sudo privileges for a different host. Sudo introduced this feature in September 2013.
However, due to the identified flaw, users could execute any command permitted on the remote host locally, simply by using the host option in the Sudo command with a reference to an unrelated remote host.
According to Sudo project maintainer Todd C. Miller, “This primarily affects sites that use a common sudoers file distributed to multiple machines. Sites that use LDAP-based sudoers (including SSSD) face similar impacts.”
Meanwhile, CVE-2025-32463 exploits Sudo’s ‘-R’ (chroot) option to let attackers run arbitrary commands as root, even when the sudoers file does not list those commands. This flaw carries a critical severity rating.
Mirch explained, “The default Sudo configuration remains vulnerable. Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. Consequently, any local unprivileged user could potentially escalate privileges to root if a vulnerable version exists on the system.”
In practical terms, this flaw allows an attacker to deceive Sudo into loading a malicious shared library by placing an “/etc/nsswitch.conf” configuration file inside a user-controlled root directory. The attacker could then execute harmful commands with root privileges.
Miller stated that a future Sudo release will completely remove the chroot option, emphasizing that supporting a user-specified root directory introduces too many risks.
Conclusion
After responsibly disclosing the vulnerabilities on April 1, 2025, the researchers worked with developers to address them in Sudo version 1.9.17p1, released late last month. Various Linux distributions have since published security advisories, as Sudo comes preinstalled on many systems.
- CVE-2025-32462 – Affects AlmaLinux 8, AlmaLinux 9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, and Ubuntu
- CVE-2025-32463 – Affects Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE, and Ubuntu
Therefore, users should apply the appropriate patches and ensure their Linux distributions are updated with the latest secure packages.
Source: TheHackerNews
Read more at Impreza News