Full Report
Cybersecurity researchers have disclosed two security flaws in the Sudo command-line utility for Linux and Unix-like operating systems that could enable local attackers to escalate their privileges to root on susceptible machines. A brief description of the vulnerabilities is below - CVE-2025-32462 (CVSS score: 2.8) - Sudo before 1.9.17p1, when used with a sudoers file that specifies a host
Analysis Summary
# Vulnerability: Critical Sudo Privilege Escalation Flaws (CVE-2025-32462 & CVE-2025-32463)
## CVE Details
- CVE ID: CVE-2025-32462
- CVSS Score: 2.8 (Low)
- CWE: Insufficient Session Expiration or Access Control (Inferred from context regarding host specification)
- CVE ID: CVE-2025-32463
- CVSS Score: 9.3 (Critical)
- CWE: Improper Restriction of Pathname Resolution (Inferred from context regarding chroot and nsswitch.conf loading)
## Affected Systems
- Products: Sudo command-line utility on Linux and Unix-like operating systems.
- Versions: Sudo before 1.9.17p1.
- Configurations:
- **CVE-2025-32462:** Affected by systems using a common/distributed `sudoers` file across multiple hosts, or sites using LDAP-based sudoers (including SSSD), especially when using the `-h` (host) option referencing hosts other than the current one or `ALL`.
- **CVE-2025-32463:** Affects systems where the `--chroot` option is used, regardless of specific `sudoers` rules, as the default configuration is vulnerable.
## Vulnerability Description
Two distinct vulnerabilities were identified in the Sudo utility:
1. **CVE-2025-32462 (Host Option Logic Flaw):** This flaw resides in the logic associated with the `-h` (host) option, which allows specifying privileges for a different host. When a user runs `sudo` with the `-h` option pointing to an unintended remote host (that is neither the current host nor `ALL`), commands allowed by the remote host's privileges could potentially be executed on the *local* machine. This vulnerability has existed since September 2013.
2. **CVE-2025-32463 (Chroot Configuration Bypass):** This critical flaw exploits the `--chroot` option of Sudo. A local, unprivileged user can force `sudo` to use `/etc/nsswitch.conf` from a user-controlled directory when chroot is active. This allows the attacker to influence the configuration loading process (likely by controlling library searches via NSS modules) to execute arbitrary commands as root, even if the user possesses no explicit `sudo` permissions.
## Exploitation
- Status: Details regarding widespread exploitation are not specified, but the findings suggest the conditions for exploitation exist widely.
- Complexity:
- CVE-2025-32462: Likely Low/Medium, as it relies on specific `sudoers` file configurations across multiple hosts.
- CVE-2025-32463: Low, as the default configuration is vulnerable and only requires local access.
- Attack Vector: Local
## Impact
- Confidentiality: Potentially High (gaining root allows reading any data)
- Integrity: Potentially High (gaining root allows modification of any system file)
- Availability: Potentially High (gaining root allows system denial of service)
## Remediation
### Patches
- Sudo version **1.9.17p1** or later is required to resolve both issues.
### Workarounds
- For CVE-2025-32462: Restrict the use of the `-h` option or ensure `sudoers` files are strictly configured locally and not shared across environments where unintended hosts might be listed.
- For CVE-2025-32463: Avoid using the `--chroot` feature if immediate patching is impossible (though this is a feature and avoiding it may break functionality).
## Detection
- **Indicators of Compromise:** Monitoring for unusual execution of commands by low-privileged users via `sudo`, particularly those involving the `-h` or `--chroot` parameters, or dynamic loading of libraries via NSS configurations in unexpected directories when `sudo` is invoked.
- **Detection Methods and Tools:** Reviewing system logs for `sudo` calls showing the use of the `-h` or `-R` flags being successfully processed before the patch is applied.
## References
- Vendor advisory reference (Inferred Sudo documentation): `https://www.sudo.ws/security/advisories/host_any/` (Defanged)
- General Vendor Advisory (Inferred): Search for Sudo security advisories dated July 2025.