Sudo Privilege Escalation Vulnerability via Host Option

A local privilege escalation vulnerability has been identified in Sudo versions prior to 1.9.17p1. This vulnerability arises when a sudoers file specifies a host that is neither the current host nor 'ALL'. In such cases, listed users can execute commands on unintended machines, effectively bypassing host-specific restrictions. The issue is particularly relevant for systems that share a common sudoers configuration across multiple computers or use network-based user directories, such as LDAP, to manage sudoers rules.

Impact

Exploitation of this vulnerability allows local users to escalate privileges to root, gaining full control over the affected system. The vulnerability requires no additional exploitation under specific configurations, making it easy to leverage.

Reproduction

To reproduce this vulnerability, a user must be listed in the sudoers file with host-specific rules that do not include the current host or 'ALL'. Once this is established, the user can execute commands using 'sudo -h' followed by the name of a host that is granted privileges in the sudoers file, thereby bypassing local restrictions and gaining root access.

Remediation

Users can update Sudo to version 1.9.17p1 or later. For systems using LDAP to manage sudoers files, it is recommended to use a narrow-scoped search path in the SSSD configuration to exclude irrelevant rules.