An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the
sudoers file.
Sudo versions affected:
Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
CVE ID:
This vulnerability has been assigned CVE-2025-32463 in the
Common Vulnerabilities and Exposures database.
Details:
Sudo's -R (--chroot) option is intended to allow the user to
run a command with a user-selected root directory if the sudoers
file allows it. A change was made in sudo 1.9.14 to resolve
paths via chroot() using the user-specified root directory while
the sudoers file was still being evaluated. It is possible for
an attacker to trick sudo into loading an arbitrary shared
library by creating an /etc/nsswitch.conf file under the
user-specified root directory.
The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1
and the chroot feature has been marked as deprecated. It will
be removed entirely in a future sudo release. Because of the
way sudo resolves commands, supporting a user-specified chroot
directory is error-prone and this feature does not appear to
be widely used.
A more detailed description of the bug and its effects can be
found in the Stratascale advisory:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Impact:
On systems that support /etc/nsswitch.conf a user may be able
to run arbitrary commands as root.
Fix:
The bug is fixed in sudo 1.9.17p1.
Credit:
Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU)
for reporting and analyzing the bug. The Stratascale advisory
can be found at:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
