← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 91/100

sudo CVE-2019-18634 buffer overflow vulnerability

A buffer overflow in sudo (CVE-2019-18634) lets local users escalate to root when pwfeedback is enabled. The default configuration is not vulnerable, but plenty of systems have pwfeedback turned on for password asterisks.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

On , details of CVE-2019-18634 were publicly disclosed—a stack-based buffer overflow in sudo versions 1.7.1 through 1.8.30 when the pwfeedback option is enabled. The vulnerability allows local users to escalate privileges to root by triggering the overflow during password entry. While the pwfeedback option is disabled by default in most distributions, several Linux variants enable it, expanding the vulnerable population significantly.

Technical Analysis and Exploitation Mechanism

The vulnerability exists in sudo's password feedback mechanism, which displays asterisks as users type their password—a feature designed to provide visual feedback during authentication. When pwfeedback is enabled in /etc/sudoers and a user provides input exceeding the internal buffer size, a stack-based buffer overflow occurs in the getln() function within tgetpass.c.

The technical root cause lies in how sudo handles pipe input when pwfeedback is active. When input is piped to sudo rather than entered interactively, the feedback mechanism attempts to write asterisks for each character. By piping a specially crafted input stream larger than the stack buffer (typically 4096 bytes), an attacker can overflow the buffer and potentially overwrite the return address on the stack to redirect execution flow.

Exploitation does not require the attacker to have any sudo privileges configured—any local user who can execute the sudo binary (even if all their commands are denied by sudoers policy) can attempt exploitation. The attacker does not need to know any valid passwords; the overflow occurs during the password prompt before authentication is checked.

Vulnerability History and Discovery

The vulnerability has been present in sudo since version 1.7.1, released in April 2009, meaning susceptible configurations have been vulnerable for over a decade. The issue was discovered by security researcher Joe Vennix of Apple Information Security, who reported it to the sudo maintainers in late 2019.

The extended timeframe during which this vulnerability existed highlights challenges in auditing long-standing code, particularly features that are disabled by default. The pwfeedback functionality was added as a user convenience feature without full consideration of security implications in edge cases like pipe input handling.

CVE-2019-18634 received a CVSS 3.1 base score of 7.8 (High), reflecting local attack vector requirements but acknowledging the potential for complete system compromise through privilege escalation to root. The vulnerability has been assigned to CWE-787 (Out-of-bounds Write).

Affected Systems and Distribution Analysis

Linux distributions that enable pwfeedback by default present immediate risk without additional configuration changes. Linux Mint enables pwfeedback in its default sudoers configuration, affecting all standard installations. Elementary OS similarly ships with pwfeedback enabled. Custom enterprise configurations may also enable this feature for user experience reasons.

Major distributions including Debian, Ubuntu, Red Hat Enterprise Linux, CentOS, Fedora, and SUSE ship with pwfeedback disabled by default. However, you should audit configurations rather than assuming defaults, as system administrators may have enabled the feature locally. macOS is not vulnerable as the sudo setup does not support the pwfeedback option.

Organizations can quickly identify vulnerable configurations by searching for "pwfeedback" in sudoers files: grep -r pwfeedback /etc/sudoers /etc/sudoers.d/ 2>/dev/null. Any system with "Defaults pwfeedback" (without the negation operator) is potentially vulnerable if running affected sudo versions.

Exploitation Scenarios and Risk Assessment

Local privilege escalation vulnerabilities like CVE-2019-18634 are critical components in attack chains. Attackers who gain initial access to a system through phishing, web application compromise, or other vectors use local privilege escalation to elevate from limited user access to root, enabling persistent access, lateral movement, and data exfiltration.

In containerized environments, container escapes often rely on kernel or privileged binary vulnerabilities. While containers typically have limited sudo access, systems running containers may have administrative users with sudo access who could be targeted. Virtual machine guest-to-host escapes may also use privilege escalation as an intermediate step.

The exploitation does require local system access, limiting exposure compared to remotely exploitable vulnerabilities. However, in environments with many users (development servers, shared hosting, educational systems), the attack surface includes any user with shell access. Insider threat scenarios also benefit from reliable privilege escalation mechanisms.

Remediation and Mitigation Strategies

Update sudo to version 1.8.31 or later to eliminate the vulnerability completely. Patch deployment should focus on systems with pwfeedback enabled, but all systems should be updated as defense-in-depth against future configuration changes. Most package managers provide updated sudo packages through standard security update channels.

As an immediate mitigation for systems where patching is delayed, remove or comment out any "Defaults pwfeedback" line in /etc/sudoers and files in /etc/sudoers.d/. Use visudo to safely edit sudoers configuration—this tool validates syntax before saving, preventing lockout from misconfigured sudoers files. Verify changes with sudo -l to confirm sudo functionality remains operational.

For enterprise environments, deploy configuration management to ensure pwfeedback remains disabled across managed systems. Ansible, Puppet, or Chef rules can enforce sudoers configuration standards and detect drift from approved baselines. Regular audits should verify sudo configuration compliance.

Detection and Monitoring Capabilities

Detection of exploitation attempts can focus on anomalous sudo behavior. Systems with improved logging may capture unusual sudo invocations with large input streams. However, successful exploitation typically appears as normal root shell activity, making post-exploitation detection challenging without endpoint detection capabilities.

File integrity monitoring on /etc/sudoers and /etc/sudoers.d/ can detect unauthorized configuration changes that might enable pwfeedback. Process monitoring can identify sudo processes receiving large pipe inputs, though this requires kernel-level visibility typically provided by EDR solutions.

Post-exploitation indicators may include unexpected root processes, modified system files, new scheduled tasks, or network connections from previously unprivileged user contexts. Correlation of user activity with subsequent root activity can identify potential privilege escalation events.

Security Hardening Recommendations

The vulnerability highlights the importance of minimizing non-default configuration options in security-critical tools. Each additional feature enabled in privilege management systems expands attack surface. If you are affected, document business justification for any sudoers customizations beyond distribution defaults.

Audit sudo configurations as part of regular system hardening reviews, including during security assessments and compliance audits. The Center for Internet Security (CIS) Benchmarks provide sudo hardening guidance for various Linux distributions that should inform baseline configurations.

Consider implementing sudo logging to track all privileged command execution. The sudoers log_input and log_output options record command input and output for forensic review. Central log aggregation enables detection of suspicious sudo usage patterns across the environment.

See also

Selected articles on related subjects.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
91/100 — high confidence
Topics
sudo · privilege escalation · buffer overflow · Linux security · CVE-2019-18634 · local exploitation
Sources cited
3 sources (sudo.ws, nvd.nist.gov, ubuntu.com)
Reading time
5 min

Cited sources

  1. Buffer overflow when pwfeedback is set in sudoers — Sudo Project
  2. CVE-2019-18634 - NVD Entry — NIST NVD
  3. USN-4263-1: Sudo vulnerability — Canonical
  • sudo
  • privilege escalation
  • buffer overflow
  • Linux security
  • CVE-2019-18634
  • local exploitation
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.