Sudo Flaw Opens Potential Security Risk for OS X, Linux Users

| News

A security flaw in the command line tool sudo in OS X 10.7 and higher, as well as some Linux distributions, could give unauthorized root access to user's computers. The flaw was reported by Metasploit, a company that specializes in finding security issues and building utilities to point them out, but the steps needed to exploit this particular issue make it unlikely most Mac users will become victims before a patch is available.

The requirements are tight, but a command line security flaw poses a threat to Mac usersThe requirements are tight, but a command line security flaw poses a threat to Mac users

To take advantage of the exploit, an attacker needs to already have an administrator-level account on the Mac, physical or remote access to the machine, have already used the sudo command, and to set the system clock to January 1, 1970. The concoction needed to use the flaw makes it highly unlikely that the average Mac user will be at risk, but it does pose a potential threat in the IT work place, or for anyone that shares a Mac with someone that's command line-savvy.

Metasploit reported the vulnerability to Apple about five months ago, but so far a fix hasn't been issued. It's possible Apple hasn't seen this threat as a high priority and is planning on including a fix in an upcoming Mountain Lion update, or that it will be addressed in Mavericks when it ships this fall.

The big issue for people that do fall victim to the sudo flaw is that the attacker could install other malicious software without their knowledge to perform tasks like collecting files and passwords.

Apple hasn't commented on the security threat, and we most likely won't hear anything about it from the company until it shows up in the notes for a security patch.

[Thanks to Ars Technica for the heads up]

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

3 Comments

geoduck

I read about this earlier this morning and I have to say I’m a bit confused. I thought the purpose of SUDO was to give someone root user access. It’s SUperuser DO. Why is this suddenly a security vulnerability? Anyone with admin rights that runs SUDO has always had the right to execute code and install software. That’s what it’s for. I’m missing something about this story.

Alphaman

Hi @geoduck. If you read the Ars article linked to in this article, you’d see that the exploit allows you to execute sudo without having to enter a password. It does it by tricking sudo into thinking the timestamp is still within the range of the timestamp_timeout.

I find this interesting, because there is code in sudo to ensure that the current time is NOT before the system boot time. Eh, complex code can generate simple logic flaws, huh?

geoduck

Aha! Thanks. That was the part I missed.

Log-in to comment