Warning: Critical privilege escalation vulnerability in sudo, Patch Immediately!

Image
Decorative image
Veröffentlicht : 01/07/2025

 

    * Last update:  01/07/2025
   
    * Affected software:: sudo before 1.9.14 to 1.9.17
 
    * Type: Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
 
    * CVE/CVSS
        → CVE-2025-32463: CVSS 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

Sources

 
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32463
 

Risks

Sudo is a tool used on Linux-systems, which allows a user who is listed in sudoers-file to run commands with root-privileges by providing his own password. By exploiting CVE-2025-32463, an attacker can leverage sudo’s -R (–chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers-file. By doing this, a user can run commands as root, even if the user is not allowed to run commands as sudo, which is considered as privilege escalation. Running commands as root has a high impact on the whole CIA-triad.
 

Description

 Sudo's -R (--chroot) option is intended to allow the user to run a command with a user-selected root directory if the sudoers-file allows it. A change was made in sudo 1.9.14 to resolve paths via chroot() using the user-specified root directory while the sudoers file was still being evaluated. It is possible for an attacker to trick sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf file under the user-specified root directory.
The developers of sudo have marked the chroot-feature of sudo as deprecated and stated that the feature will be removed entirely in a future sudo release.

 

Recommended Actions

 
Patch 
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
  
Monitor/Detect 
  
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
  
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

 
Official Manufacturer: https://www.sudo.ws/security/advisories/chroot_bug/
Stratascale: https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Openwall: https://www.openwall.com/lists/oss-security/2025/06/30/3