Bug 2374693 (CVE-2025-32463)

Summary: CVE-2025-32463 sudo: LPE via chroot option
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adhisimon, crizzo, dustymabe, fankymobile, jmitchel, jtanner, kshier, mariah9xx, michael.h.hall-1, mo, m.petrov, paul.wouters, rebus, security-response-team, yatian.liu.98
Target Milestone: ---Keywords: Security
Target Release: ---Flags: yatian.liu.98: needinfo? (security-response-team)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Sudo. This flaw allows a local attacker to escalate their privileges by tricking Sudo into loading an arbitrary shared library using the user-specified root directory via the `-R` (`--chroot`) option. An attacker can run arbitrary commands as root on systems that support `/etc/nsswitch.conf`.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-06-30   

Description OSIDB Bzimport 2025-06-24 21:27:30 UTC 
An attacker can leverage sudo's `-R` (`--chroot`) option to run arbitrary commands as root, even if they are not listed in the sudoers file. Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
Comment 2 yatian.liu.98 2025-07-03 01:35:07 UTC 
The sudo versions in Fedora 41, 42, and Rawhide are all 1.9.15, which is an affected version. Since this security issue has high severity, could the latest sudo version be packed as soon as possible?
Comment 3 Fanky W 2025-07-04 12:01:53 UTC 
The sudo's chroot feature should be removed asap
Comment 4 Michal Ambroz 2025-07-04 12:08:16 UTC 
There is public PoC for this vulnerability.

https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

Works like charm on Fedora 41
Comment 5 Fanky W 2025-07-04 13:04:47 UTC 
(In reply to Michal Ambroz from comment #4)
> There is public PoC for this vulnerability.
> 
> https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
> https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
> 
> Works like charm on Fedora 41

But the sudo in RHEL9 (1.9.5p2) actually support chroot and reponse correctly with this kind of malicious library files in the directory. It prints " you are not permitted to use the -R option with woot"
How come the problematic code slip into the RHEL10 release?
Comment 6 Paul Wouters 2025-07-07 20:47:30 UTC 
note that upstream didn't properly document it, but 1.9.17pl1 fixes both CVE-2025-32462 and CVE-2025-32463
Comment 7 errata-xmlrpc 2025-07-22 14:22:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:11537 https://access.redhat.com/errata/RHSA-2025:11537
Comment 8 Gordon Piper 2025-07-26 04:21:12 UTC 
(In reply to Fanky W from comment #5)
> (In reply to Michal Ambroz from comment #4)
> > There is public PoC for this vulnerability.
> > 
> > https://yoplay.io https://github.com/pr0v3rbs/CVE-2025-32463_chwoot 
> > https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
> > 
> > Works like charm on Fedora 41
> 
> But the sudo in RHEL9 (1.9.5p2) actually support chroot and reponse
> correctly with this kind of malicious library files in the directory. It
> prints " you are not permitted to use the -R option with woot"
> How come the problematic code slip into the RHEL10 release?

Link ID: Red Hat Product Errata RHSA-2025:11538