Sudo is trusting the wrong host: CVE-2025-32462, which remained unnoticed for over 12 years, requires a specific, but common configuration of restricting Sudo rules to certain hostnames or hostname patterns.According to the researchers, the sudoers file uses flexible syntax to suit any organization size, allowing a single configuration to work across Linux and UNIX systems by limiting rules specific to users, groups, and hosts.England agrees with the vulnerability’s lower severity score, CVSS 2.8 out of 10. “Successful execution would require someone to make a misconfiguration and deploy a sudoers file with an incorrect host for this vulnerability to work,” he said. “The error has to happen elsewhere to meet these conditions.”Stable Sudo versions 1.9.0 through 1.9.17 are affected, along with the legacy versions 1.8.8-1.8.32. The flaw was introduced with Sudo version 1.8.8, released in September 2013, and remained in all the subsequent upgrades.Both flaws have been fixed in the Sudo version 1.9.17p1. Sudo advisories addressing the issues credited Rich Mirch from Stratascale Cyber Research Unit (CRU) for the discoveries and have urged admins to quickly patch their installations.”Organizations should treat remediation of the issue as a priority despite the seemingly low vulnerability severity score and investigate their configurations for use of the vulnerable options and versions, doubly so due to the presence of the other vulnerability which does not have such configuration-based requirements for exploitation,” said Ben Hutchison, associate principal consultant at Black Duck.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4018715/how-a-12-year-old-bug-in-sudo-is-haunting-linux-users.html
