Cannot reproduce sudo vulnerability (CVE-2019-14287)

rugk · October 15, 2019, 6:17pm

I’ve tried to reproduce CVE-2019-14287 according to the official announcement, but it does not work in Fedora (with the unfixed old version < 1.8.28, of course):

$ sudo -V                
Sudo version 1.8.27
Sudoers policy plugin version 1.8.27
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.27

$ sudo -u#-1 id -u       
[sudo] password for rugk:

I am quite curious why this does not work…

Anyone has an explanation? Is there an additional security feature or why does this happen?

rugk · October 15, 2019, 6:18pm

Ah sorry, actually read it now:

Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier.
   alice myhost = (ALL) /usr/bin/id

So actually, this is by default not set in Workstation of course.
So this does not apply.

pluto · October 15, 2019, 7:07pm

You’re only vulnerable if you use stupid sudo rules.

If you allowed someone to sudo as any user but root, then most likley they could just sudo to a user who could sudo to root anyway.

Anyway, whatever the media needs to get clicks

Topic		Replies	Views
My user with NOPASSWD: ALL in sudoers file but still getting prompted for password Ask Fedora	6	88	February 22, 2025
Issues with NOPASSWD in sudoers.d Ask Fedora sudo	1	87	November 10, 2024
Fedora 36: Change in sudo behaviour when running non-existent executable Ask Fedora f35 , f36	13	1263	April 28, 2022
Su or sudo don't work on fedora 28 Ask Fedora	18	6666	October 29, 2019
Running `sudo -n /any/thing` inside a Toolbx fails with 'sudo: a password is required' Ask Fedora problem	0	317	June 28, 2023

Cannot reproduce sudo vulnerability (CVE-2019-14287)

Related topics