The Stratascale Cyber Research Unit has recently identified a significant security flaw in the Linux sudo utility on a security report on their website. This vulnerability, tracked as CVE-2025-32463, allows unprivileged users to escalate their privileges to root by exploiting the chroot feature—used to restrict a process’s view of the filesystem—even if no sudo rules explicitly permit such actions.
Sudo is a vital tool for system administrators, enabling users to run commands with elevated privileges without sharing root passwords. It also logs all command executions for audit purposes.
The Core of the Issue: How chroot and nsswitch Interact
The problem lies in how sudo handles the chroot option. While chroot is often used for isolating services like FTP or SSH, it’s not a secure boundary by itself. In affected versions (1.9.14 to 1.9.17), attackers can exploit sudo’s chroot capabilities to change the root directory to a location they control, then execute commands as root—regardless of their permissions.
The exploitation involves manipulating the system’s Name Service Switch (NSS) configuration, a component responsible for retrieving system information like user accounts, groups, and hostnames. The nsswitch.conf file tells the system where to look for this information, for example, in local files or remote services like LDAP. During the chroot process, sudo loads this configuration within the new environment. Attackers can craft a malicious nsswitch.conf that directs sudo to load malicious shared libraries, enabling arbitrary code execution as root.
Attack Flow
An attacker can place a crafted nsswitch.conf inside the chroot directory, specifying a fake source that loads a shared object they control. When sudo performs the chroot, it loads this malicious library, ultimately giving the attacker root privileges.
This has been demonstrated on Ubuntu 24.04.2 with sudo 1.9.15, where an unprivileged user successfully gained root access by exploiting this vulnerability.
To mitigate this and fix the flaw, update sudo to version 1.9.17p1 or later. Be sure to review your sudo configurations for any use of the “-R” or “runchroot=” options, especially in “/etc/sudoers” or included files, and monitor logs for any suspicious activity related to chroot or nsswitch.conf modifications.
Unless used explicitly, consider disabling or removing the chroot feature. It’s been deprecated in newer sudo versions.
Keeping system utilities up to date and carefully managing features like chroot is crucial in production servers and environments. Chroot, while useful, should not be solely relied upon for security, especially given these new exploit methods.
For more details and patches, visit the Sudo Security Advisory.
Leave a Reply