Cyber Command, NSA warn to patch decade-old sudo vulnerability

(CyberScoop / Chris Bing)


Written by

U.S. intelligence officials are urging American companies and security workers to fix a software flaw that, if exploited, would give attackers deep access to a victim machine.

The vulnerability, which now has a patch, would have allowed unauthorized users to gain what’s known as root privileges on vulnerable hosts as early as 2011 when the flaw was introduced, researchers at the security firm Qualys found. Root access would enable hackers to obtain administrative privileges over a machine, and quietly collect sensitive information.

The vulnerability has existed for 10 years in sudo, a common tool found on nearly all Unix and Linux-based operating systems that generally allows system administrators to give some approved users root privileges.

The flaw affects legacy versions from 1.8.2 to 1.8.31p2 and all default versions from 1.9.0 to 1.9.5p1, according to Qualys.

The National Security Agency warned this week of how prevalent and damaging this issue could be for those who don’t apply patches for the flaw.

It’s “a utility that is available in almost all major linux/unix OS versions,” said Rob Joyce, who has been serving as the NSA’s top intelligence officer in the U.K., where he is responsible for liaising with the U.K.’s Government Communications Headquarters or GCHQ.

Joyce will soon be serving as the NSA’s Cybersecurity Director, as CyberScoop first reported.

The Department of Defense’s Cyber Command, which works on both offensive and defensive security missions for the U.S. government, warned system administrators to pay attention to the sudo flaw as well.

“We recommend applying patches as soon as available. This is a far more dangerous #Sudo vulnerability than seen in the rescent past [sic],” Cyber Command’s Cyber National Mission Force, one of the DOD’s outfits that would be activated when the nation is targeted in cyberspace, warned in a tweet Wednesday.

-In this Story-

National Security Agency (NSA), U.S. Cyber Command, vulnerability disclosure