Sudo Before 1.9.15 Vulnerable to Row Hammer Attacks
CVE-2023-42465

7HIGH

Key Information:

Vendor: Sudo Project
Status: Sudo
Vendor: CVE Published:; 22 December 2023

Summary

A vulnerability in Sudo before version 1.9.15 exposes systems to row hammer attacks, potentially allowing unauthorized users to bypass authentication or escalate privileges. The issue arises due to flaws in application logic—specifically, relying on not equaling an error value rather than confirming a successful operation. This oversight, combined with inadequate resistance to single bit flips, creates an environment where attackers can exploit these weaknesses for elevated access.

References

https://www.sudo.ws/releases/changelog/

https://www.openwall.com/lists/oss-security/2023/12/21/9

https://github.com/sudo-project/sudo/commit/7873f8334c8d3...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2023
Vulnerability Reserved
Sep 11, 2023