Sudo's host (-h or --host) option is intended to be used in
conjunction with the list option (-l or --list) to list a user's
sudo privileges on a host other than the current one. However, due
to a bug it was not restricted to listing privileges and could be
used when running a command via `sudo` or editing a file with
sudoedit. Depending on the rules present in the sudoers file
this could allow a local privilege escalation attack.
Sudo versions affected:
Sudo versions 1.8.8 to 1.9.17 inclusive are affected.
CVE ID:
This vulnerability has been assigned CVE-2025-32462 in the
Common Vulnerabilities and Exposures database.
Details:
The intent of sudo's -h (--host) option is to make it possible
to list a user's sudo privileges for a host other than the current
one. It was only intended be used with in conjunction with the
-l (--list) option.
The bug effectively makes the hostname portion of a sudoers rule
irrelevant since the user can set the host to be used when evaluating
the rules themselves. A user must still be listed in the sudoers
file, but they do not needed to have an entry for the current host.
For example, given the sudoers rule:
alice cerebus = ALL
user alice would be able to run "sudo -h cerebus id" on any host,
not just cerebus. For example:
alice@hades$ sudo -l
Sorry, user alice may not run sudo on hades.
alice@hades$ sudo -l -h cerebus
User alice may run the following commands on cerebus:
(root) ALL
alice@hades$ sudo -h cerebus id
uid=0(root) gid=0(root) groups=0(root)
Impact:
Sudoers files that include rules where the host field is not the
current host or "ALL" are affected. This primarily affects sites
that use a common sudoers file that is distributed to multiple
machines. Sites that use LDAP-based sudoers (including SSSD) are
similarly impacted.
For example, a sudoers rule such as:
bob ALL = ALL
is not affected since the host "ALL" already matches any hosts,
but a rule like:
alice cerebus = ALL
could allow user alice to run any command even if the current
host is not cerebus.
Fix:
The bug is fixed in sudo 1.9.17p1.
Credit:
Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU)
for reporting and analyzing the bug. The Stratascale advisory
can be found at:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
