Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN408
_____________________________________________________________________

DATE                : 01/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache sudo version
                               prior to 1.9.17p1.

=====================================================================
https://www.sudo.ws/security/advisories/chroot_bug/
https://www.sudo.ws/security/advisories/host_any/
_____________________________________________________________________


Local Privilege Escalation via chroot option
Jun 30, 2025

An attacker can leverage sudo’s -R (--chroot) option to run arbitrary
commands as root, even if they are not listed in the sudoers file.
Sudo versions affected:

Sudo versions 1.9.14 to 1.9.17 inclusive are affected.


CVE ID:

This vulnerability has been assigned CVE-2025-32463 in the Common
Vulnerabilities and Exposures database.


Details:

Sudo’s -R (--chroot) option is intended to allow the user to run a
command with a user-selected root directory if the sudoers file
allows it. A change was made in sudo 1.9.14 to resolve paths via
chroot() using the user-specified root directory while the sudoers
file was still being evaluated. It is possible for an attacker to
trick sudo into loading an arbitrary shared library by creating
an /etc/nsswitch.conf file under the user-specified root directory.

The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1 and
the chroot feature has been marked as deprecated. It will be
removed entirely in a future sudo release. Because of the way sudo
resolves commands, supporting a user-specified chroot directory is
error-prone and this feature does not appear to be widely used.

A more detailed description of the bug and its effects can be
found in the Stratascale advisory.


Impact:

On systems that support /etc/nsswitch.conf a user may be able to
run arbitrary commands as root.


Fix:

The bug is fixed in sudo 1.9.17p1.


Credit:

Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU)
for reporting and analyzing the bug. His advisory may be found
at
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot.

_____________________________________________________________________


Local Privilege Escalation via host option
Jun 30, 2025

Sudo’s host (-h or --host) option is intended to be used in
conjunction with the list option (-l or --list) to list a user’s sudo
privileges on a host other than the current one. However, due to a
bug it was not restricted to listing privileges and could be used
when running a command via sudo or editing a file with sudoedit.
Depending on the rules present in the sudoers file this could allow
a local privilege escalation attack.

Sudo versions affected:

Sudo versions 1.8.8 to 1.9.17 inclusive are affected.


CVE ID:

This vulnerability has been assigned CVE-2025-32462 in the Common
Vulnerabilities and Exposures database.


Details:

The intent of sudo’s -h (--host) option is to make it possible to
list a user’s sudo privileges for a host other than the current
one. It was only intended be used with in conjunction with
the -l (--list) option.

The bug effectively makes the hostname portion of a sudoers rule
irrelevant since the user can set the host to be used when
evaluating the rules themselves. A user must still be listed in
the sudoers file, but they do not needed to have an entry for
the current host.

For example, given the sudoers rule:

alice cerebus = ALL

user alice would be able to run sudo -h cerebus id on any host,
not just cerebus. For example:

alice@hades$ sudo -l

Sorry, user alice may not run sudo on hades.

alice@hades$ sudo -l -h cerebus
User alice may run the following commands on cerebus:
    (root) ALL

alice@hades$ sudo -h cerebus id
uid=0(root) gid=0(root) groups=0(root)

Impact:

Sudoers files that include rules where the host field is not
the current host or ALL are affected. This primarily affects
sites that use a common sudoers file that is distributed to
multiple machines. Sites that use LDAP-based sudoers (including
SSSD) are similarly impacted.

For example, a sudoers rule such as:

bob ALL = ALL

is not affected since the host ALL already matches any hosts,
but a rule like:

alice cerebus = ALL

could allow user alice to run any command even if the current
host is not cerebus.

Fix:

The bug is fixed in sudo 1.9.17p1.


Credit:

Thanks to Rich Mirch from Stratascale Cyber Research Unit
(CRU) for reporting and analyzing the bug. His advisory may
be found at
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host.

Double free with per-command chroot sudoers rules
Local Privilege Escalation via chroot option

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================