In this release we have updated the sudo package to address CVE-2019-14287. Yesterday a security vulnerability was announced where commands could be made to run as root using
sudo if called with a specially crafted user ID.
While we were not vulnerable to this attack, we have deployed this update to all Hypernodes, as additional attack vectors, which maybe could affect the Hypernode platform, are often found after a patch is released. Because we track the xenial-security pocket, this new version of sudo will be automatically updated on all Hypernodes.
The exploit required that the ALL keyword was used in combination with an explicit specification to disallow root. On Hypernode we have no such configuration, so the platform was not susceptible to this vulnerability.
For more information about this vulnerability see this mail in the oss-sec mailing list archives:
If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:
myhost bob = (ALL, !root) /usr/bin/vi
User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running “sudo -u#-1 vi”, violating the security policy.