The vulnerability in question is a sudo security policy bypass issue. Malicious users or a program can execute the arbitrary command as root on the targeted Linux system even when the “sudoers configuration” disallows the root access. Linux developers have fixed this flaw in the latest update. However the targeted and infected systems are still at risk. As long as an intruder had enough access to run sudo, they could perform any action and even install a serious malware, threatening the overall security of the system.
Sudo (superuser do) is a system command that is often used by Linux users to run applications. The users can also access privileges of a different user without switching between environments. Sudo is generally used for running commands as the root user. All the Linux distributions including the mobile operating systems powered by Linux support sudo command.
On most Linux distributions, the ALL keyword in RunAs specification allows all users in the admin or sudo groups to run any command as any valid user on the system. This loophole can allow user to bypass the security policy and take complete control over the system.
The Sudo developers say,
“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.”
The vulnerability is targeted at all Sudo versions prior to the latest version 1.8.28. If you are using Linux, you are recommended to update the Sudo package manually as soon as it is available for your distro.