Two new vulnerabilities have been found in Sudo, a privileged command-line tool installed on Linux systems, that can allow privilege escalation and unintended command execution on affected Ubuntu and Debian systems.
According to a Stratascale research, the command-line tool has two local privilege escalation vulnerabilities, affecting the Sudo “host” and Sudo “Chroot” features. One of the vulnerabilities has remained unnoticed for over 12 years.
“Permissions control, specifically maintaining positive control of privilege escalation, is critical to security operations,” said Trey Ford, chief information security officer at Bugcrowd. “When Sudo needs patched, you put down your sandwich and get that prioritized ASAP.”
Despite similar impact, the vulnerabilities have received different severity ratings depending on the ease of exploitation. Ford thinks the scoring variance makes sense as there’s a “very narrow configuration scenario,” allowing for one low-rated exploit.
The chroot option hands anyone root privileges
One of the vulnerabilities, tracked as CVE-2025-32463, allows any user — even those not listed in sudoers — to gain root privileges by abusing the Chroot mechanism. The Chroot feature in Sudo was introduced in version 1.9.14 (released in August 2023) to help admins limit the runtime environment of a command by changing the root directory for the command to a specified path.
By placing a crafted version of the system configuration file “/etc/nsswitch.conf” into a user-writable Chroot directory, Sudo can be tricked into loading a shared library there with malicious code in it.
The vulnerability, with a critical CVSS rating of 9.3 out of 10, affects Sudo versions 1.9.14 through 1.9.17, and Stratascale researchers said they verified the exploitation on Ubuntu 24.04.1 and the Fedora 41 server.
“CVE-2025-32463 involves a local privilege escalation vector that doesn’t require the user to be in the sudoers file,” said Marc England, security consultant at Black Duck. “My only question would be, when it comes to elements such as infrastructure, how many of them are using Ubuntu 24.04? A lot of the time, with Ubuntu 22.04 LTS having support through to 2027, it would be far more common in most environments as there isn’t always a rush to update to a new OS since the current one is still stable and supported.”
England thinks many admins could be in the clear as he believes most would be using Sudo version 1.9.9, non-vulnerable, as it is the latest package supported on Ubuntu 22.04.
Sudo is trusting the wrong host
CVE-2025-32462, which remained unnoticed for over 12 years, requires a specific, but common configuration of restricting Sudo rules to certain hostnames or hostname patterns.
According to the researchers, the sudoers file uses flexible syntax to suit any organization size, allowing a single configuration to work across Linux and UNIX systems by limiting rules specific to users, groups, and hosts.
England agrees with the vulnerability’s lower severity score, CVSS 2.8 out of 10. “Successful execution would require someone to make a misconfiguration and deploy a sudoers file with an incorrect host for this vulnerability to work,” he said. “The error has to happen elsewhere to meet these conditions.”
Stable Sudo versions 1.9.0 through 1.9.17 are affected, along with the legacy versions 1.8.8-1.8.32. The flaw was introduced with Sudo version 1.8.8, released in September 2013, and remained in all the subsequent upgrades.
Both flaws have been fixed in the Sudo version 1.9.17p1. Sudo advisories addressing the issues credited Rich Mirch from Stratascale Cyber Research Unit (CRU) for the discoveries and have urged admins to quickly patch their installations.
“Organizations should treat remediation of the issue as a priority despite the seemingly low vulnerability severity score and investigate their configurations for use of the vulnerable options and versions, doubly so due to the presence of the other vulnerability which does not have such configuration-based requirements for exploitation,” said Ben Hutchison, associate principal consultant at Black Duck.
No Responses