Page 1 of 1

Sudo CVE-2019-14287 Reported Oct 14

Posted: 2019/10/18 14:41:37
by jakepogo
ALL Sudo versions prior to 1.8.28 (CEntOS 6 is currently synced with v 1.8.6p3) are susceptible to an escalation flaw related to user -1. The report said that linux distros would be updated as soon as possible but I havent found any information about when CEntOS would sync up with the safer version, does anyone know? This seems like a pretty major flaw :(

https://thehackernews.com/2019/10/linux ... -flaw.html

Re: Sudo CVE-2019-14287 Reported Oct 14

Posted: 2019/10/18 15:24:58
by stevemowbray
I'd say it's a pretty minor flaw as I wouldn't expect many people to have set up a vulnerable configuration. It's easy enough to fix your own configuration if you have done so.

Re: Sudo CVE-2019-14287 Reported Oct 14

Posted: 2019/10/18 16:57:02
by TrevorH
Please see https://access.redhat.com/security/cve/cve-2019-14287 for both information about what configurations are vulnerable and for progress about the path to a patch. News about the fix will appear on that page first and when Redhat release it for RHEL then CentOS will pick it up and rebuild it too.

Due to the fact that the exploit is local only and also has very specific configuration requirements before your system will be vulnerable - even with the unpatched version - the majority of people will be unaffected.

Re: Sudo CVE-2019-14287 Reported Oct 14

Posted: 2019/10/23 17:38:51
by aks
Frankly, if somebody is already in as in they can execute sudo, you've got bigger problems ...