CVE-2019-14287 Sudoers bypass

A security announcement has been published by Sudo with patched versions rolling today

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.


If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:

bob myhost = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.
Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:

alice myhost = /usr/bin/id

In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.