A critical vulnerability, CVE-2025-32463, has been identified in the sudo command-line utility, affecting versions 1.9.14 through 1.9.17. This flaw allows local attackers to escalate privileges and execute commands with root access using the --chroot (-R) option. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation in the wild.
Technical Details
The vulnerability arises from sudo’s handling of the --chroot option. When invoked, sudo changes its root directory to the specified path before evaluating the sudoers file. This behavior can be exploited by placing a malicious /etc/nsswitch.conf file and associated shared libraries within a user-controlled directory. Sudo will then load these files, granting the attacker root privileges.
Affected Systems
This issue impacts various Linux distributions, including:
AlmaLinux
Amazon Linux
Debian
Gentoo
Red Hat
SUSE
Ubuntu
Systems running sudo versions 1.9.14 through 1.9.17 are vulnerable. Administrators are strongly advised to update to the latest patched versions immediately.
Mitigation Steps
To mitigate the risk associated with CVE-2025-32463:
Update sudo: Install sudo version 1.9.17p1 or later.
Review sudoers Configuration: Ensure that the sudoers file does not grant unnecessary privileges.
Monitor Systems: Regularly audit system logs for unusual activities indicative of exploitation attempts.
CVE-2025-32463 represents a significant security risk, allowing attackers to gain root access on affected systems. Prompt application of security patches and vigilant monitoring are essential to protect systems from potential exploitation.