Full Report
The goal of 'oxidizing' the Linux distro hits another bump Two vulnerabilities in Ubuntu 25.10's new "sudo-rs" command have been found, disclosed, and fixed in short order.…
Analysis Summary
This summary focuses on the two vulnerabilities found in the new `sudo-rs` implementation on Ubuntu 25.10, as detailed in Ubuntu Security Notice USN-7867-1.
# Vulnerability: Two Security Flaws in Ubuntu 25.10's sudo-rs Implementation
## CVE Details
- CVE ID: **Not explicitly provided in the text** (Assigned after disclosure and fixed quickly)
- CVSS Score: **Low** for the password timeout issue; **Moderate** for the timestamp auth issue. Specific numerical scores are not provided.
- CWE: Not specified.
## Affected Systems
- Products: `sudo-rs` component used in Ubuntu 25.10.
- Versions: Ubuntu 25.10 (New implementation).
- Configurations:
- Password Timeout Issue: Affects installations where users do not have the `pwfeedback` setting enabled.
- Timestamp Auth Issue: Only exploitable if the `targetpw` configuration setting is enabled (which is **not** the default).
## Vulnerability Description
Two distinct vulnerabilities were fixed in the new Rust-based `sudo-rs` implementation:
1. **Password Timeout Issue (Low Severity):** If a user typed characters into a `sudo` prompt but did not press Enter before the password timeout occurred (default 5 minutes), the characters typed would be displayed back on the terminal. This enables a social engineering attack where an attacker could coax a user to type a password fragment, distract them, and rely on the timeout to prematurely reveal that input. This is generally avoided if `pwfeedback` is enabled.
2. **Timestamp Authentication Issue (Moderate Severity):** The `sudo-rs` implementation failed to correctly honor the `targetpw` configuration setting (which dictates what password `sudo` should ask for when remembering a prior authentication, possibly to run commands as a different user). This meant the system would ignore the configured setting when reusing a remembered authentication, potentially circumventing intended privilege escalation restrictions, although abusers would need high existing privileges to exploit this path, and it is non-default.
## Exploitation
- Status: **Not exploited in the wild** (Disclosed and fixed quickly).
- Complexity:
- Password Timeout: Implied **Medium** complexity due to required social engineering and a 5-minute window.
- Timestamp Auth: Implied **High** complexity, as it typically requires specific, non-default configurations (`targetpw`) and high pre-existing privilege to be impactful.
- Attack Vector: Both imply a **Local** context for execution, as `sudo` is a local command-line utility.
## Impact
- Confidentiality: **Low to Medium** (Potential credential exposure via social engineering or broken policy enforcement).
- Integrity: **Low to Medium** (Policy enforcement could be bypassed via the `targetpw` issue).
- Availability: **Negligible**.
## Remediation
### Patches
- Patches were applied and delivered via **Ubuntu Security Notice USN-7867-1**.
- Fixes were also backported to the `sudo-rs` version used in **Debian "stable."**
### Workarounds
- **For Password Timeout:** Ensure the `pwfeedback` setting is enabled in `/etc/sudoers` or the configuration file used by `sudo-rs` to fully obscure typed input.
- **For Timestamp Auth:** Do not use the non-default `targetpw` configuration setting, or manually verify that `sudo-rs` respects configured session policies after updating.
## Detection
- **Indicators of Compromise:** In the case of the timeout bug, unusual echoes of input during an idle period on a terminal where `sudo` was invoked might be logged.
- **Detection methods and tools:** Standard security monitoring of `/etc/sudoers` configuration changes related to `pwfeedback` and `targetpw` is recommended until patched.
## References
- Vendor Advisories: ubuntu com/security/notices/USN-7867-1
- Relevant Links:
- github com/trifectatechfoundation/sudo-rs
- discourse ubuntu com/t/sudo-rs-and-beyond/67098