chwoot: Critical Linux vulnerability makes users root on most systems
An example exploit is available online and works on many standard systems. Admins should quickly install the available updates.
(Image: J0hnTV/Shutterstock.com)
There is a critical security flaw in the Linux tool "sudo" and makes unprivileged users "root", the system administrator, in no time at all. The reason for the malaise: a bug in the chroot function of sudo. This function is actually intended to "lock" users in their home directory, but allows them to break out of it and extend their rights. An update is available; admins of multi-user systems should act quickly.
The vulnerability exploits a bug in the chroot implementation. Between two function calls, this calls the "Name Service Switch" (NSS), which in turn loads the file /etc/nsswitch.conf. The attacker can now cause this function to load a file he has prepared with C code (a dynamic .so library) and execute it with root rights.
Critical vulnerability in many versions
The vulnerability is hidden in various sudo versions – it is unclear in which ones exactly. The discoverer, Rich Mirch from "Stratascale Cyber Research Unit", was unable to test all versions. However, he is certain that the vulnerability is not present in older versions prior to sudo 1.8.32, as the malicious code only appeared in this version. The bug can be found in the stable versions 1.9.14 to 1.9.17 that he tested. It has the CVE ID CVE-2025-32463 and a CVSS rating of 9.2 (priority: "critical"). The discoverer provides an example exploit.
This makes many, possibly millions of Linux systems vulnerable. Ubuntu in its current version 24.04.1, Fedora 41 and potentially many other distribution versions are at risk. However, updated packages are already available, under Ubuntu for all versions from Jammy to Plucky. They port the bugfix contained in sudo 1.9.17p1 to the sudo version used there. The currently stable Debian version "Bookworm" is not affected – its sudo version is simply too old.
(Image:Â heise security / cku)
Admins should therefore react quickly and install the updates provided by their Linux distribution. They should also not forget to update templates for cloud VMs to the latest version. A freshly installed Ubuntu VM at a major German cloud hoster was still vulnerable to the vulnerability in the late afternoon of July 1, 2025, even though the updated package was already available. We were able to reproduce the "proof of concept" exploit provided by the discoverer Mirch and only had to install a C compiler.
Videos by heise
More sudo mischief
Security researcher Rich Mirch also found a vulnerability at another point in sudo: If commands in the configuration file /etc/sudoers are restricted to certain hosts, this restriction can be outwitted by cleverly combining several command line parameters. However, the vulnerability with the CVE ID 2025-32462 cannot be exploited on a freshly installed system with default settings. It is therefore only classified with a CVSS score of 2.8 and low priority. The vulnerability has been lurking in sudo for 12 years and has now been fixed in version 1.9.17p1 or newer. Incidentally, unlike its "big brother", sudo 1.9.13p3-1+deb12u2 also fixes the bug on Debian GNU/Linux.
(cku)
