来源

关联漏洞

描述

A deep dive into two critical Sudo vulnerabilities (CVE‑2025‑32463 & CVE‑2025‑32462) that enable local privilege escalation across major Linux distributions.

介绍

# ⚠️ CVE‑2025‑32463 & CVE‑2025‑32462 – Sudo Privilege Escalation Flaws in Linux

## 🧠 TL;DR

In July 2025, two newly disclosed vulnerabilities in the `sudo` utility—**CVE-2025-32463** and **CVE-2025-32462**—have put numerous Linux distributions at risk. The more severe of the two, **CVE‑2025‑32463**, carries a **CVSS score of 9.3**, enabling **local privilege escalation** and potential full system compromise. Exploits are now surfacing in the wild. Patch **ASAP**.

![a-hyper-realistic-digital-painting-of-a-_fpL3F86KSl2rYMkphXgKpg_A--8Fy3VRF6-wcrzP2VHlw](https://github.com/user-attachments/assets/3315340a-e18c-4cc5-82d5-1256e320fd1d) <br/>

---

## 🔍 What Is Sudo?

`sudo` is a core utility on nearly all Unix-based systems, allowing users to run commands as another user (typically root). It's central to **privileged access** control on Linux.

If `sudo` is compromised, the implications are massive—any local user might gain **root-level access** to the entire system.

---

## 📌 Vulnerability Breakdown

### ✅ CVE‑2025‑32463 — Critical Privilege Escalation

* **Severity**: Critical (CVSS: 9.3)
* **Impact**: Local users can **bypass security policies** and **execute arbitrary files with elevated privileges**.
* **Affected Sudo Versions**: Prior to **1.9.17p1**
* **Discovered by**: Qualys Threat Research Unit (TRU)
* **Root Cause**: An unsafe path expansion and lack of input sanitization in the `sudoers` policy parsing logic.

#### 🔧 Exploitation

An attacker with **low privilege access** can exploit a misconfigured `sudoers` rule that uses **wildcards (`*`) in command paths**. By crafting a malicious binary and tricking `sudo` into executing it (via the wildcard), the attacker achieves **root shell**.

> 🔥 In one proof-of-concept (PoC), attackers exploited:

```bash
Cmnd_Alias EXPLOIT = /usr/bin/cp /etc/* /dev/null
```

By planting their payload in `/etc/passwd`, they escalated privileges instantly.

---

### ⚠️ CVE‑2025‑32462 — Lower Severity, Supporting Bug

* **Severity**: Low (CVSS: 2.8)
* **Impact**: Improper cleanup of memory structures. Doesn't directly enable privilege escalation, but **supports more stable exploitation** of CVE-2025-32463.
* **Fix**: Also resolved in sudo 1.9.17p1

---

## 🧬 Affected Distributions

All major distros shipping vulnerable `sudo` versions are affected:

* Ubuntu (20.04, 22.04, 24.04)
* Debian (10/11/12)
* Fedora
* Red Hat Enterprise Linux (7, 8, 9)
* SUSE Linux Enterprise
* Arch Linux

Each has released emergency patches as of **July 15, 2025**.

---

## 🧪 Detection & Indicators of Exploitation (IoEs)

Look for:

* Wildcard rules in `/etc/sudoers` or included policy files.
* Unknown binaries or scripts in `/tmp`, `/dev/shm`, `/home/*/.local`, etc.
* Log entries like:

  ```
  sudo: unknown user root executed /tmp/payload
  ```

---

## 🩹 Mitigation

1. **Update Sudo Immediately**

   * Version `1.9.17p1` or later fixes both CVEs.
   * Example (Ubuntu):

     ```bash
     sudo apt update && sudo apt install sudo
     ```

2. **Audit sudoers Rules**

   * Avoid wildcard entries in `sudoers`:

     ```bash
     # Dangerous
     myuser ALL=(ALL) NOPASSWD: /usr/bin/cp /etc/* /tmp/
     ```

     * Replace with explicit command paths.

3. **Use sudo’s `secure_path` directive**

   * Enforces safe, limited `$PATH` values in elevated environments.

4. **File Integrity Monitoring**

   * Tools like **AIDE**, **Auditd**, or **OSSEC** can alert you to suspicious binary drops or script executions.

---

## 🔒 Example of Safe sudoers Rule

```bash
myuser ALL=(ALL) NOPASSWD: /usr/bin/cp /etc/passwd /tmp/passwd.backup
```

Avoid wildcard (`*`) and directory-level permissions unless necessary.

---

## 🧠 Final Thoughts

This vulnerability is another reminder that **"with great power comes great security responsibility."** The flexibility of `sudo` makes it a powerful tool—and a dangerous one when misconfigured.

Organizations should treat `sudo` policy hygiene as critical infrastructure, not afterthoughts. Automate audits. Apply least-privilege principles. And, always, **patch fast**—because attackers already are.

---

## 🔗 References

* [Qualys Full Technical Disclosure](https://blog.qualys.com/vulnerabilities-threat-research/2025/07/15/cve-2025-32463-wildcard-privilege-escalation-in-sudo)
* [Sudo Patch Release Note (v1.9.17p1)](https://www.sudo.ws/releases/stable/#1.9.17p1)
* [MITRE CVE-2025-32463](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463)
* [Ubuntu Security Notice](https://ubuntu.com/security/notices/USN-6739-1)

---

文件快照

 [4.0K]  /data/pocs/bbe0ed8563e3c4cada8a2a53d320e7f807807118
└── [4.5K]  README.md

0 directories, 1 file

备注