Sippy Software, Inc.
How can we help you today?
[SA-0005][SS-4530] Linux sudo can be abused by any logged in user to gain root priviledges
Phillip Ma
Hello Everyone,
We would like to spend some time and update everyone of the status on this Security Advisory. This issue currently impacts all production versions of our software as well as unsupported versions of our software we have offered in the past. At present time we are currently testing out a system update that will patch the current SUDO version to 1.9.5p2. This patch will be rolled out to Sippy Softswitch v5.0 and higher. Any Sippy Softswitch v4.5 and earlier will still be vulnerable. This system upgrade will be available through our support teams later this week. Please file a support ticket to have this update scheduled.
In our assessment of this issue we have determined not all customers will have equal exposure to this problem. Customers who create users for their support teams that SSH into the machine are more likely to be at risk as it's these created accounts that can be modified to provide enhanced permissions to the device. While the exposure may be low for most customers we will still advise you to perform a system upgrade to the latest supported version to seek the best protection against this vulnerability.
If you have any questions please feel free to file a support ticket with your questions
Thanks!
Phillip Ma
Product Manager
Sippy Software
Phillip Ma
Dear Valued Customer
A security vulnerability has recently been identified in linux distributions including FreeBSD. Sudo versions before 1.9.5p2 has a critical heap buffer overflow vulnerability - allowing rogue users to take over host systems. This vulnerability has been present for some time however was just recently found by security researchers. This exploit has been proven in several linux distributions including Ubuntu 20.04, Debian 10 and Fedora 33. Many Linux distributions have already published security patches as of the writing of this initial post including a patch already available in FreeBSD seen here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253034
Sippy Software is currently in the process of verifying this issue as well as preparing OS level changes to correct this issue. More details will be published as they become available with Corrective steps and Instructions for our customers.
Thanks!
Phillip Ma
Product Manager
Sippy Software