Cannot reproduce sudo vulnerability (CVE-2019-14287)

I’ve tried to reproduce CVE-2019-14287 according to the official announcement, but it does not work in Fedora (with the unfixed old version < 1.8.28, of course):

$ sudo -V                
Sudo version 1.8.27
Sudoers policy plugin version 1.8.27
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.27

$ sudo -u#-1 id -u       
[sudo] password for rugk:

I am quite curious why this does not work… :smiley:

Anyone has an explanation? Is there an additional security feature or why does this happen?

Ah sorry, actually read it now:

Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier.

   alice myhost = (ALL) /usr/bin/id

So actually, this is by default not set in Workstation of course. :smile:
So this does not apply. :smiley:

You’re only vulnerable if you use stupid sudo rules.

If you allowed someone to sudo as any user but root, then most likley they could just sudo to a user who could sudo to root anyway.

Anyway, whatever the media needs to get clicks :slight_smile:

1 Like