sudoedit (`sudo -e`) security flaw (CVE-2023-22809)

nabbisen - Jan 19 '23 - - Dev Community

Security vulnerability

A new sudo vulnerability was found. It was on sudoedit (sudo -e) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled.

CVE

CVE-2023-22809

Impact

(with appreciation to @jmau111's comments)

The official website statements:

If no users have been granted access to sudoedit there is no impact.

It is the case, for example, that /etc/sudoers (or the target visudo uses) has such a line:

someuser ALL=(root) sudoedit /etc/some.conf
Enter fullscreen mode Exit fullscreen mode

someuser can edit another file by exploiting the flaw.

Solution

If sudo is 1.8 or greater, it is recommended to update it to the latest version (1.9.12p2) released today, on 2023-01-19.

Temporary workaround

In case that you can't update it right now,

the official website describes there is a way to mitigate it by adding the line below to sudoers:

Defaults!sudoedit    env_delete+="SUDO_EDITOR VISUAL EDITOR"
Enter fullscreen mode Exit fullscreen mode

Reference

This post is based on the tweets by my company

Image
Testing and Debugging Rust Code
Image
Buy Verified TransferWise Accounts

devops, productivity, opensource, aws
Image
Buy Verified Paxful Account

tutorial, react, python, ai
Image
Lipo Battery
Image
Mastering Java's rotateRight() Method

labex, java, coding, programming
Image
THANK YOU VERY MUCH
Image
React Coding Challenge - City/Product Sales Browser using React

javascript, react, webdev
Image
Como hacer bypass al SSL Pinning en Android con Frida y Objection en Windows 10🔓

android, frida, sslpinning, windows
Image
Just Started
Image
May the blessings of the good and merciful lord remain upon us in the name of Jesus, Amen
Image
Good morning messages html css js

codepen, webdev, javascript, react
Image
Why I got a Master's Degree for AI / ML

datascience, career, education, college
Image
Buy verified cash app account

webdev, javascript, beginners, programming
Image
Next JS Form Validation Zod Example - NextJS Tutorial

nextjs, webdev, javascript, programming
Image
Minitest Rails Assertions (table)

ruby, rails, testing, softwaredevelopment
Image
The Use of the ** Operator with Python and FastAPI Pydantic Classes

python, fastapi, softwaredevelopment, webdev
Image
AWS Network Firewall: A Simple Lab Setup Guide - ClickOps

networking, community, aws, security
Image
HIRE FOLKWIN EXPERT RECOVERY TO GET BACK LOST,HACKED,OR STOLEN CRYPT0/USDT URGENTLY ..
Image
How to Choose the Best Shower Door for Small Bathrooms
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player