Table of contents of the article:
With the heat advancing, it is not only our bodies that are “sweating…rare”. Even Linux systems, this summer, are facing an unexpected sweat: a critical vulnerability discovered in sudo, the famous command that for decades has allowed users to perform operations as administrators without having to log in directly as root. But this time, a bug in the management of --chroot risks turning a simple system command into an open door for local attackers.
A Hot Summer for Linux Security
On July 1, 2025, a official advisory which describes a vulnerability classified as CVE-2025-32463, with a CVSS score of 9.3, which makes it one of the most serious flaws in recent years related to sudoThe bug affects versions of sudo from 1.9.14 to 1.9.17 inclusive, excluding only the 1.9.17p1, which contains the correction.
What is sudo?
sudo is one of the fundamental commands of Unix and Linux system administration. Its name derives from “Superuser do“, meaning “run as superuser”. In practice, it allows a normal user to execute commands with root privileges (or that of another specified user), but without having to log in as root. This mechanism is fundamental for security: it allows you to control, log and limit access to administrative privileges.
Through the configuration file /etc/sudoers, you can define with extreme precision which users can execute which commands, on which hosts, and with which options. In a corporate or multi-user context, sudo allows you to keep track of privileged activities and reduce the risks associated with using the superuser. It is therefore a pillar of secure management of Linux systems, but precisely because of its power, when a vulnerability is discovered in sudo, the consequences can be very serious.
The problem in brief
The problem arises from the use of the option --chroot (equivalent to -R) that allows you to run commands inside a chrooted environment, useful for example for maintenance operations on systems that are not normally booted. However, in these affected versions, sudo does not properly handle the separation between the chroot environment and the real file system. Under certain conditions, an unprivileged user can:
- create a controlled chroot directory;
- include files in it like
/etc/nsswitch.confmanipulated; - take advantage of dynamic loading of libraries configured in
nsswitch.conf; - get code execution with root privileges.
This is not a remote attack, but it is still devastating, as a local user without root privileges is enough that has access to the command sudo, even just for a subset of commands.
How the exploit works (in broad terms)
An attacker can construct a fake chroot environment with:
- A copy of
/bin/shor other executable essential to start a basic shell in the isolated context; - A contrived version of
/etc/nsswitch.conf, containing references to custom modules for name resolution, such as:passwd: mymaliciousmodule group: mymaliciousmodule shadow: mymaliciousmoduleThis will force
sudoto load a library.socorresponding tolibnss_mymaliciousmodule.so.2; - A library
.somalicious, written and compiled ad hoc, placed in the simulated structure of/lib,/usr/libor similar within the chroot, so that it can be detected by the dynamic linker; - A minimal consistent structure in the chroot, which allows the invoked command (e.g.
/bin/sh) to start up and generate errors as little as possible (including special dummy devices,/proc, any symlinks); - Finally, running the command:
sudo -R /tmp/fakechroot /bin/sh
At this point, sudo, respecting the parameter --chroot, change root to the specified path (/tmp/fakechroot) and executes the requested command. In doing so, it attempts to resolve the configurations nsswitch, loading dynamic modules with elevated privileges. Since the library .so is placed by an attacker and includes arbitrary code, which is executed as root within the process sudo.
The most critical aspect is that this happens without exploiting classic vulnerabilities such as buffer overflow or memory corruption: this is a logical abuse, based on the trust that sudo puts back into the infrastructure chroot. For this reason, the attack is relatively simple to carry out for anyone with local access and even partial permission to sudo.
Which distributions are vulnerable?
Vulnerable distributions are all those that have adopted sudo in version >= 1.9.14 and <= 1.9.17, so in particular:
- Alma Linux 8, Alma Linux 9 e Alma Linux 10
- Rocky Linux 8/9;
- RHEL 8/9, if updated with
sudorecent; - Ubuntu (especially updated 22.04 LTS versions);
- Debian testing/sid, if you received version 1.9.14+;
- macOS Sequoia and recent versions that integrate updated sudo;
- SUSE Linux Enterprise e openSUSE recent.
CentOS 7: Out of Danger (For Once)
Strange but true: 7 CentOS, now declared dead (EOL) since June 2024, is saved. The version of sudo included in the official CentOS 7 repositories is the 1.8.23, released around 2017 and remained so until the end of support. This version, although very dated, does not implement the option yet --chroot (-R) introduced in later versions of the 1.9 series, and for this very reason It is not affected by the CVE-2025-32463 vulnerability.
From a technical point of view, the source code of sudo 1.8.23 does not support the parameter --chroot, nor does it have routines that perform temporary root switching and file loading /etc/nsswitch.conf within the chroot environment. This means that even if an attacker tries to create a manipulated environment, sudo would not be able to use it according to the vulnerable logic of the 1.9.x versions.
However, it is important to point out that This “rescue” is the result of chance and not of an intrinsic safety advantage. CentOS 7 is a completely out-of-support distribution: its packages contain numerous known, unpatched vulnerabilities in critical components such as the kernel, glibc, OpenSSL, systemd, OpenSSH, and many others. Continuing to use CentOS 7 in production environments poses a significant risk.
In other words, for this specific vulnerability CentOS 7 users can breathe a sigh of relief, but they should not be considered safe overall. It is strongly recommended to plan a migration to a supported distribution such as AlmaLinux 8/9 or Rocky Linux 8/9, taking advantage of the transition tools made available by the community, such as AlmaLinux's ELevate.
How to check if you are vulnerable?
Simply do:
sudo --versionIf you get an output like:
Sudo version 1.9.17six vulnerable.
If you have instead:
Sudo version 1.9.17p1six already safe (corrected version).
If you have a version older than 1.9.14 (e.g. 1.8.23 on CentOS 7), you are not vulnerable to CVE-2025-32463.
Immediate mitigation
If you can't upgrade right away, there are some ways to mitigate the risks:
1. Do not allow access to sudo to untrusted users
- Remove users from
/etc/sudoersor from groups likewheelosudo. - Usa
sudoersto grant access only to specific commands, notALL.
2. Avoid using --chroot in your scripts
Check if there are any scripts or cronjobs that contain:
sudo -Ro
sudo --chrootIf you don't use that feature, you're already more protected.
3. Check the logs
Look for any suspicious uses of --chroot:
grep 'sudo' /var/log/secure | grep '\-\-chroot'o
journalctl | grep 'sudo.*--chroot'4. Recompile sudo in correct version
Alternatively, if your system does not yet have the correct version of sudo (1.9.17p1 or higher) and you don't want or can't wait for the official update via the package manager, you can download the sources from the official website and proceed with manual compilation.
Here are the essential passages:
wget https://www.sudo.ws/dist/sudo-1.9.17p1.tar.gz
tar xzf sudo-1.9.17p1.tar.gz
cd sudo-1.9.17p1
./configure --prefix=/usr/local
make
make installThis will install sudo in the directory /usr/local/bin/sudo, leaving the system version intact in /usr/bin/sudo. It is advisable to also update the PATH or create a symbolic link if you want to replace the default version.
If you want to integrate sudo compiled with PAM, logging or advanced plugins, you can customize the ./configure with options like:
./configure --prefix=/usr/local --with-pam --with-env-editor --with-logging=syslogYou can also validate the installation with:
/usr/local/bin/sudo --version⚠️ Please note:: the manual compilation of sudo on production systems must be performed with extreme caution. It is advisable:
- test first on staging or lab environments;
- make a full backup of your system or at least
/etc/sudoers; - Avoid uninstalling the system version without verifying that the compiled version works correctly.
Finally, remember to update your policies. sudoers if you use custom paths for the track sudo (Eg. /usr/local/bin/sudo).
A future without --chroot?
The maintainers of sudo they have already announced that the option --chroot will be removed in future versions of the software. This decision stems from the fact that, despite its apparent usefulness in recovery or maintenance scenarios, the option has proven to be overly complex to manage safely. The recently discovered bug confirms it: the combination of the chroot environment and the dynamic resolution of configurations and libraries can introduce attack vectors that are difficult to mitigate.
The mechanism --chroot requires that sudo behaves correctly even in artificial and potentially incomplete environments, which greatly complicates the code logic and increases the attack surface. Furthermore, many distributions and real environments make limited use of this option, making it a secondary target in terms of features but a primary target in terms of risks.
For those who need it run commands within isolated or chroot environments, it is recommended to adopt modern and natively more secure tools such as:
systemd-nspawn: to launch lightweight Linux containers in environments withsystemd, with advanced isolation and integrated logging;- Manually managed chroot: if strictly necessary, but only in controlled environments and with well-configured minimal fs;
- Docker-container o podman: for running processes in isolated environments, with greater control, portability and consolidated security tools.
The future of sudo it will therefore be leaner, focused on core functionality and granular policies, while execution in virtualized environments will be left to solutions specifically designed for that task. An approach that is understandable and, in light of what has happened, definitely appropriate.
Conclusion: Let's refresh sudo
In this torrid summer of 2025, even sudo he started sweating: a simple to exploit but potentially devastating vulnerability has highlighted how important it is to always keep system tools updated, even the "historical" ones like sudo. The bug related to the option --chroot, which has hit many of the most recent distributions, has shown how even mature and consolidated software can hide pitfalls if not properly maintained.
And while some older systems are saved by pure coincidence of timing, the overall picture remains alarming: trust in privileged software can never be blind. Production environments must be constantly monitored, updated and verified. No component should be taken for granted, especially if it has the power to turn a normal user into root.
The advice is simple but strategic: check the version of sudo, update if necessary, restrict user access, and monitor logs. Add controls to your audits, remove the unnecessary in policies sudoers and also consider adopting more granular tools for privileged access control.
And maybe, just in case, offer your servers a towel: this summer, they're sweating too. But with the right updates, at least they'll avoid CVE heatstroke.
