sudoedit (`sudo -e`) security flaw (CVE-2023-22809)

nabbisen - Jan 19 '23 - - Dev Community

Security vulnerability

A new sudo vulnerability was found. It was on sudoedit (sudo -e) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled.

CVE

CVE-2023-22809

Impact

(with appreciation to @jmau111's comments)

The official website statements:

If no users have been granted access to sudoedit there is no impact.

It is the case, for example, that /etc/sudoers (or the target visudo uses) has such a line:

someuser ALL=(root) sudoedit /etc/some.conf
Enter fullscreen mode Exit fullscreen mode

someuser can edit another file by exploiting the flaw.

Solution

If sudo is 1.8 or greater, it is recommended to update it to the latest version (1.9.12p2) released today, on 2023-01-19.

Temporary workaround

In case that you can't update it right now,

the official website describes there is a way to mitigate it by adding the line below to sudoers:

Defaults!sudoedit    env_delete+="SUDO_EDITOR VISUAL EDITOR"
Enter fullscreen mode Exit fullscreen mode

Reference

This post is based on the tweets by my company

Image
Mengetahui Tipe Mesin Judi Online yang Banyak Dipakai Dalam Permainan
Image
Deploying WordPress on Ubuntu VM with LAMP Stack: A Step-by-Step Guide

ubuntu, wordpress, linux
Image
rose black tea
Image
I Have Routing issue in Website in ERP

erp
Image
ROSE BLACK TEA
Image
VARDHAMAN TEA TRADING COMPANY
Image
Step-by-Step Guide: How to Perform a Self Thyroid Exam at Home

thyroid, treatment, couses
Image
API Mocking: Concept, Free Tool & Real-world Examples

mockapi, realapi, http, echoapi
Image
Effectively Onboarding Software Engineer Contractors: A Smooth Start

onboarding, softwareengineering
Image
Why Fajartoto is the Top Choice for Secure and Exciting Online Gaming and Betting

webdev, javascript, beginners, tutorial
Image
Berapakah Modal Sekurang-kurangnya buat Main Judi Online?
Image
A Step-by-Step Guide to Automating Smart Contract Upgrades with Deep Storage Data

smartcontract, upgradecontract, data
Image
6 Must-Have API Debugging Extensions for VSCode in September 2024

apidebug, restapi, vscode, postman
Image
belajar bermain slots online pada perjudian dalam jaringan untuk mendapatkan uang
Image
Why Opt for Revenue Cycle Management Software in Healthcare Financial Operations?

revenue, cycle, software, management
Image
30-Step Sure SEO Checklist to Make Your Next.js App Outrank Competitors

nextjs, seooptimzation, seochecklist, google
Image
CHAY
Image
Test
Image
Bacancy’s Data Science Solutions Propel National Bank’s Growth

datascience, dataengineering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .