Linux Sudo chroot Vulnerability Enables Hackers to Elevate Privileges to Root

A critical security vulnerability in the widely used Linux Sudo utility has been disclosed, allowing any local unprivileged user to escalate privileges to root access. 

Summary
1. CVE-2025-32463 affects Sudo versions 1.9.14-1.9.17, enabling privilege escalation to root.
2. Exploitation uses the chroot option (-R) to manipulate the NSS system and load malicious libraries.
3. Impact affects default configurations on Ubuntu, Fedora, and other major Linux distributions.
4. The Fix requires an immediate update to Sudo 1.9.17p1 or later - no workaround is available.

The vulnerability, tracked as CVE-2025-32463, affects Sudo versions 1.9.14 through 1.9.17 and poses a significant threat to Linux systems running default configurations.

Root Privilege Escalation Flaw

The vulnerability was discovered by Rich Mirch of the Stratascale Cyber Research Unit (CRU) and centers around the rarely used chroot option (-R or –chroot) in Sudo. 

This vulnerability is particularly dangerous because it doesn’t require any Sudo rules to be defined for the attacking user, meaning even users with no administrative privileges can exploit it.

The flaw was introduced in Sudo v1.9.14 in June 2023 with updates to command matching handling code when the chroot feature is used. 

The vulnerability allows unprivileged users to invoke chroot() on writable, untrusted paths under their control, which Sudo executes with root authority. 

This creates a security breach when the Name Service Switch (NSS) operations are triggered, causing the system to load /etc/nsswitch.conf configuration from the untrusted environment.

The exploitation technique involves manipulating the NSS (Name Service Switch) system by placing a malicious /etc/nsswitch.conf file in a controlled chroot environment. 

Attackers can specify custom NSS sources that translate to shared object libraries (e.g., libnss_/woot1337.so.2), which Sudo then loads with root privileges.

The proof-of-concept exploit demonstrates this by creating a malicious shared object with a constructor function that calls setreuid(0,0) and setregid(0,0) to gain root privileges, then executes /bin/bash to provide a root shell. 

The exploit code shows how a simple gcc -shared -fPIC command can compile the malicious library that gets loaded during Sudo’s NSS operations.

Mitigations

Security researchers have verified the vulnerability on Ubuntu 24.04.1 with Sudo 1.9.15p5 and 1.9.16p2, as well as Fedora 41 Server with Sudo 1.9.15p5. 

The vulnerability affects the default Sudo configuration, making it a widespread threat requiring immediate attention.

The fix is available in Sudo 1.9.17p1 or later versions, where the chroot option has been deprecated and the vulnerable pivot_root() and unpivot_root() functions have been removed. 

System administrators are strongly advised to update their Sudo packages immediately, as no workaround exists for this critical vulnerability.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now