During this week we discussed the risks of malware that obtains the ability to operate within the kernel, and a Linux vulnerability reported regarding SUDO when the SUDOers file is set up to allow all users except root to run certain programs as “SuperUserDO”, e.g. vi, the text editor.
https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html
With this week’s topic about malware, what does this vulnerability mean in regards to the likelihood and/or impact of the damage posted by malware?
The sudo vulnerability essentially gives malware the ‘keys to the kingdom’ in terms of its ability to execute tasks as a privileged user, significantly increasing the level of damage to the host as there is no limit to what commands can be run. As a sys admin you could potentially lose control over groups and users. Malware exploiting this vulnerability could easily add unauthorized users to groups if the organization doesn’t have any auditd logging configured. An attacker could use this vulnerability for persistence into an environment and remain relatively undetected. Adversely, an attacker could simply lock out any legitimate users altogether. The sky is really the limit in this scenario and tactics deployed would be determined by the attackers end goal such as persistence vs destruction.
A vulnerability which allows users to execute commands as root that were not setup to have those privileges could have a serious impact. This vulnerability, CVE-2019-14287, has a base score of 8.8 and the reason it has a higher number is because having root access allow a user to make any changes they want on the machine. If malware were installed on the machine and exploited this vulnerability the malware could make changes to the machine’s configurations allowing an attacker to gain remote access. This could result in information being stolen, ability to pivot to additional systems, destruction of information, and much more.
If the sudo vulnerability is left unpatched, the likelihood and impact of malware is extremely high. An attacker would only need to gain access to one user ID and then the vulnerability can be easily exploited. The attacker can specify the compromised user ID with “-1” or “4294967295” and can instantly gain the highest level of access. Once this is achieved, the attacker can essentially do anything they want. The installation of malware on the machine can introduce a whole array of problems for an organization. One compromised machine can quickly lead to an entire network being affected.
This sudo vulnerability would allow the malicious user to execute arbitrary commands as root on a targeted Linux system, which is dangerous. The attacker may gains admin permissions, remote access, and collect information. If the attacker takes complete control over the system as root, he can inject malicious files into the system to obtain the information he needs and can use this controlled device as a springboard to find and exploit other devices in its local network, which has more permissions.
The potential damage from malware in regard to this vulnerability is unlimited. Most attackers try to gain access then maintain it for as long as they can. Having super user privileges gives an attacker a gateway to install backdoors that help them maintain access to a compromised system. The fact that the vulnerability also takes advantage of a logic flaw in how Linux interprets “-1” or “4294967295” could mean there are more vulnerabilities to be discovered that operate in a similar way.
This vulnerability allows users to circumvent privilege restrictions in Linux, and to run commands as root/the system administrator. Malicious actors or malware could use this vulnerability to gain unrestricted access to the system. They could use this to steal, alter, or destroy any data that the root user has access to. A sudo version with the patch is available but organizations can be slow to update systems. Additionally, malicious actors who exploited this vulnerability could have already created a second entry point.
Somehow I missed this portion of our assignment until late today, so I am responding after many of my classmates who have already touched upon the limitless “functionality” this vulnerability enables.
While reading the article I couldn’t help but think about the statistics I have encountered while conducting research for this class. For example, one firm suggested that implementation of a patch within 30 days of it’s release is considered “gold standard.” In this instance, after the vulnerability was disclosed, think of the headway that could be gained by cybercriminals in a matter of 30 days minimum. There are then the companies who have not kept up with patching and are not able to remedy this quickly. I believe the risk posed by third parties with malicious intent is much higher than a rogue employee under these circumstances..
To echo those above, the impact and likelihood of this vulnerability is severe. Users will be able to modify security access and likely stay relatively undetected. What stood out to me was Mohit’s tweet regarding case 3 when he notes, “Instead of making a rule just for tom, dick, harry, or bob, when you block an entire group of low privileged users, restricting them from running commands as any other group (usually admin) that also contains the root.
%basic_users_group = (ALL, !%admin)”
I think utilizing security groups is a good practice in order to control access – however, it does get a bit more messy when it comes to utilizing nested groups within these security groups.