Network Security

‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug grants Linux root access

Cyber warfare specialists serving with the 175th Cyberspace Operations Group, which provides forces to a national mission team belonging to the U.S. Cyber Command, participate in training. (U.S. Air Force J.M. Eddins Jr.)

Cybersecurity researchers and the U.S. Cyber Command are warning users about a decade-old buffer overflow bug in sudo that can grant root access to malicious users with low level access to systems.

The vulnerability, discovered by Qualys and nicknamed "Baron Samedit," affects all versions of Linux Qualys has tested against. The glitch allows users, even those off of sudoers list, to gain root access. It has been patched in the latest release of sudo.

"Any user – even the lowest of the low privileged – can access root," said Mehul Revankar, vice president of product management and engineering at Qualys.

Though other Sudo vulnerabilities have been found in the past, it's rare that a bug affects any account, rather than accounts meeting specific conditions.

"We expect millions of systems to be affected," said Revankar.

The name is a play on Voodoo loa (and occasional James Bond villain) Baron Samedi and sudoedit. Samedi is the top-hatted master of the dead, preventing the buried from returning as zombies. Sudoedit allows users with lesser privileges edit files.

U.S. Cyber Command and others have rushed to recommend Unix and Linux users update systems.

"We recommend applying patches as soon as available. This is a far more dangerous #Sudo vulnerability than seen in the rescent [sic] past," tweeted CYBERCOM midday Wednesday.

Revankar said that the reason the vulnerability went under the radar since being introduced in 2011 was likely that it requires two vulnerabilities to operate, and people who found only one may not have seen the full picture.

"It's one of the most beautiful bugs I've seen," said Revankar. "And if it fell into the wrong hands, very bad things could happen."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.