On 14 October 2019 a new vulnerability was announced in sudo that would allow a malicious user with sudo access to bypass security and run as root, effectively owning your systems.
If you have sudo you can run the following commands to escalate yourself to root.
sudo -u#-1 id -u
sudo -u#4294967295 id -u
At Puppet, our security team found and fixed this sudo vulnerability on all our systems instantly using the recently-launched Puppet Remediate. Here’s how you can too:
Find it (CVE-2019-14287, sudo vulnerability)
First of all, you need to find which systems contain vulnerable versions of sudo below 1.8.28. In Puppet Remediate this is a single command:
- Open Run Tasks
- Run the following shell command: sudo -V | grep "^Sudo version"
- Select all your nodes
- Run the command and view the output to find any system running sudo below version 1.8.28
Fix it (CVE-2019-14287, sudo vulnerability)
- On the boxes you found to be potentially vulnerable, run the following task.
- Select Run Task > Manage Package > Upgrade > sudo
- Select one node, or all affected nodes, and Run the Task.
- Verify the fix. Check Sudo was upgraded to the version you expected, should be 1.8.28 or above or the fixed version on your OS (1.8.19p1-2.1+deb9u1 on debian stretch release https://security-tracker.debian.org/tracker/CVE-2019-14287)
Don’t have Puppet Remediate? Here’s how to do it manually or with Bolt
We want to help the community even if you don’t have Puppet Remediate, so here’s the commands to fix this sudo vulnerability manually, or using use our open source tool Bolt.
Run this command against your Linux boxes:
sudo -V | grep "^Sudo version"
List all the boxes that have versions below 1.8.28 (or corresponding fix version for your OS). Then upgrade the potentially vulnerable ones by running either apt-get or yum
apt-get upgrade sudo
You will need to run this against each vulnerable box, or write a script to perform all the updates.
We are always happy to chat security in the Puppet Community Slack.
Want to try Puppet Remediate out?
Puppet is encouraging everyone to join the community around Puppet Remediate. You can find out more about Puppet Remediate here.
Jonathan Stewart is a principal product manager at Puppet.