Reviews
5 Jul 2025

Sudo Privilege Escalation Vulnerability Review

532 Words Reading Time: 2 minute
Sudo Privilege Escalation Vulnerability Review

In the blog post, we’ll cover what the issue is, how it works, how to detect it, and most importantly, how to fix it.

A critical vulnerability was recently identified in the widely-used sudo utility, affecting systems that rely on host-based rules in the sudoers file. Known as CVE‑2025‑32462, this bug allows low-privileged local users to escalate to root by abusing the -h/--host option. Discovered by Rich Mirch of Stratascale and present in sudo for over a decade, this flaw highlights the need for diligent patching—even in mature tools like sudo.

In the blog post, we’ll cover what the issue is, how it works, how to detect it, and most importantly, how to fix it.



What’s Going On?

  • The -h/--host flag in sudo was originally intended to list how a user’s permissions apply on different hosts—not for executing commands.
  • Due to a logic oversight, this flag could be misused to apply permissions from a different host context, effectively bypassing host-based restrictions in the sudoers file.

Who Is at Risk?

  • Environments using host-based sudoers rules, especially with Host or Host_Alias directives—typical in LDAP or multi-machine setups.
  • All versions of sudo from 1.8.8 up to, but not including, 1.9.17p1.
  • Affects major Linux distributions (Ubuntu, Debian, Red Hat, SUSE, Alpine, Amazon Linux, etc.) and Unix-like systems including macOS.


How It Works

  • An attacker with a low-privileged account on hostA uses:
sudo -h hostB <allowed-command>
  • sudo applies permissions intended for hostB, not hostA.
  • Even if the user is restricted on hostA, they can now run root commands that are permitted on hostB.


Detection & Testing

  • Search your sudoers and /etc/sudoers.d/ files for Host or Host_Alias directives.
  • Attempt the exploit by running a harmless command with -h to test if host-based rules are enforced.

Example:

sudo -h <trusted-host> -l

If host-based restrictions don’t apply as expected, your sudo version is vulnerable.


Fix and Recommendations

  • Upgrade sudo to v1.9.17p1 or later using your distro’s package manager.
  • Review sudoers configurations—minimize the use of host-based rules.
  • For added security, monitor sudo usage and consider removing the -h option or move toward centralized authorization (e.g., LDAP).


Conclusion

This vulnerability shows that even seasoned tools like sudo can harbor high-impact bugs when new flags are introduced. If your setup uses host-specific rules in sudoers, your systems are at risk unless updated.

Next steps:

  • Patch systems immediately to v1.9.17p1 or newer.
  • Audit sudoers for host-based policies.
  • Continue security reviews for foundational tools.


📝 For more information about this vulnerability, please review this article.

Tags:



You may also be interested in...

When working with security-focused systems, especially those protected by fapolicyd, it's essential to understand the implications of how trust is assigned to executable files.
Why I Trust Files — Not Directories — in fapolicyd Rules for Splunk
Edubuntu has returned with the 24.04 LTS release, offering a modern, stable, and purpose-built Linux distribution tailored specifically for educational environments.
Edubuntu 24.04 LTS Review
Nextcloud is a powerful self-hosted collaboration suite—but by default, it lacks the ability to edit Office documents like Word, Excel, or PowerPoint directly in the browser.
Integrating OnlyOffice with Nextcloud
For teams or individuals looking for a lean, self-hosted Git service with a small footprint, Gitea has been gaining traction..
Gitea Review - A Lightweight Git Solution for Self-Hosting

© 2020 - 2025 Jamison Johnson
Disclaimer | Privacy Information | Search Blog Mastodon - @cristiancastellari@mastodon.uno @cristian@livellosegreto.it