CVE-2025-32463 | sudo | LPE
| Vulnerability | CVE-2025-32463 |
|---|---|
| Type | Local Privilege Escalation in sudo with chroot argument |
| Description | A flaw in sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option, without requiring any sudo rules for the low privileged user. |
| Affected Systems | sudo versions from 1.9.14 to 1.9.17 (refer to your OS advisory) |
| Attack Vector | Local – attacker must have access to the system |
| Exploit Mechanism | Attacker sets up a fake chroot environment containing a crafted shared library and modified nsswitch.conf. When a command is run with sudo -R, the malicious library is loaded, allowing arbitrary code execution as root. |
| Impact of the Bug | Successful exploitation allows full root access |
| Detection Techniques | - Check for use of sudo -R with unusual or user-controlled path. |
| IOCs Related to Exploitation | - Creation of nsswitch.conf in non-standard directories. |
| Mitigation Steps | - Upgrade sudo to version 1.9.17p1 or later. (refer to OS advisory) |
| References | - NVD – CVE‑2025‑32463 - sudo Project Patch Notes - PoC |