Vulnerability DatabaseCVE-2025-32463

CVE-2025-32463:
NixOS vulnerability analysis and mitigation

Overview

A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This vulnerability was discovered and reported by Rich Mirch from Stratascale Cyber Research Unit (CRU) in June 2025 (Oligo Security, OpenWall).

Technical details

The vulnerability stems from a change introduced in sudo 1.9.14 that allowed path resolution via chroot() using a user-specified root directory while the sudoers file was still being evaluated. An attacker could prepare a writable directory (for example under /tmp), place a fake /etc/nsswitch.conf and a malicious libnss_*.so library there, and then invoke sudo with the --chroot option. This would cause sudo to load the attacker's code with root privileges. The vulnerability has been assigned a Critical CVSS score of 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) (NVD, Oligo Security).

Impact

The vulnerability allows local users to gain complete root access to affected systems, even if they are not listed in the sudoers file. This enables attackers to execute arbitrary commands with root privileges, potentially leading to complete system compromise. The impact is particularly severe as it requires no special privileges or user interaction to exploit (Oligo Security).

Mitigation and workarounds

The vulnerability has been fixed in sudo version 1.9.17p1. The fix involves reverting the change from sudo 1.9.14 and marking the chroot feature as deprecated. Major Linux distributions have released patches for their respective versions. System administrators are strongly advised to update to sudo 1.9.17p1 or apply the vendor-provided security patches. Additionally, it is recommended to disable the chroot feature by adding 'Defaults !use_chroot' to the sudoers configuration (OpenWall, Oligo Security).

Community reactions

The vulnerability has received significant attention from the security community due to its critical severity and widespread impact. Major Linux distributions including Ubuntu, Red Hat, SUSE, and Debian have issued security advisories and patches. The discovery has led to increased scrutiny of sudo's security features, particularly those involving directory manipulation and privilege escalation vectors (Ubuntu, SUSE).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.8

Score

Published June 30, 2025

Severity HIGH

CNA Score 9.3

Affected Technologies

NixOS
CBL Mariner

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 52.7

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

sudo-debuginfo
sudo-logsrvd

Sources

NVD
Alpine Security Tracker
- Alpine 3.21 Severity HIGHHas FixAdded at: Jul 03, 2025
- Alpine 3.22, edge Severity HIGHHas FixAdded at: Jul 01, 2025
CBL-Mariner
- CBL-Mariner 2.0, 3.0 Severity CRITICALHas FixAdded at: Jul 12, 2025
Chainguard
- Chainguard Has FixAdded at: Jul 03, 2025
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Jul 08, 2025
Debian Security Tracker
- Debian 13 Severity HIGHHas FixAdded at: Jul 01, 2025
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Jul 02, 2025
Nix
- Nix Severity HIGHHas FixAdded at: Jul 18, 2025
Photon Security Advisory
- Photon 4.0, 5.0 Severity HIGHHas FixAdded at: Jul 03, 2025
Red Hat Errata
- Red Hat 10 Severity HIGHHas FixAdded at: Jul 01, 2025
Ubuntu Security Tracker
- Ubuntu 24.04, 24.10, 25.04 Severity HIGHHas FixAdded at: Jul 01, 2025
Wolfi
- Wolfi Has FixAdded at: Jul 03, 2025