BeyondTrust sudo Vulnerability Report Reveals the Risk of Root Access
Every sudo Vulnerability Ever Identified by NIST Could Have Been Mitigated
CARLSBAD, Calif. – April 12, 2011 — BeyondTrust, the leading provider of privilege delegation and authorization management, today published its inaugural sudo Vulnerability Report. The report analyzes all vulnerabilities published by The National Institute of Standards and Technology (NIST) sudo security bulletins.
NIST, sudo developers, and UNIX/Linux distributors regularly identify new security vulnerabilities in sudo that allow users with limited access rights to escalate their privileges. Additionally, administrators and users also identify a multitude of undisclosed vulnerabilities regarding sudo. The sudo (super user do) command is intended to allow users to execute certain commands at another user's privilege level - usually root.
By examining all of the published sudo vulnerabilities in 2010 and all of the published sudo vulnerabilities to date, this report quantifies the risks associated with root-level access and the use of sudo itself.
The results show that removing root access would mitigate the risks associated with sudo vulnerabilities 100 percent of the time. The document also evaluates security risks related to sudo’s logs, unpatched systems and recommendations from the Department of Homeland Security.
“Although NIST, Todd Miller and Gratisoft all release patches regularly to address known vulnerabilities, vulnerability identification and patch deployment can take a significant amount of time, resulting in a delay that can leave corporate networks open to attack. With sudo pre-installed on nearly every Linux and UNIX machine, organizations may have multiple versions of the utility and are not aware of which versions need patching, thus adding to the challenge,” said Michele Shannon, vice president of product management and marketing at BeyondTrust. “As companies integrate UNIX and Linux, operating systems that are popular in virtualized and cloud environments, they need plans to mitigate risk with a more sophisticated and secure solution for privileged access, allowing users to operate effectively without the root password.”
Organizations can mitigate the risks from sudo vulnerabilities by following best practices in least privilege with individual accountability and monitoring. By breaking down root access into individual access accounts for each IT admin, organizations are empowered to determine who made unauthorized or suspicious changes. Logs that cannot be altered make staff unable to cover their tracks. Detailed access policies giving IT staff only the access they need to perform their jobs, reduces the potential damage any single individual could cause.
The BeyondTrust 2010 sudo Vulnerability report is accessible at the following link: http://www.beyondtrust.com/whitepapers/BeyondTrust2010-sudo-Vulnerability-analysis.aspx
About BeyondTrust
Founded in 1985, BeyondTrust is the global leader in privilege authorization management, access control and security solutions for virtualization and cloud computing environments. BeyondTrust empowers IT governance to strengthen security, improve productivity, drive compliance and reduce expense. The company’s products eliminate the risk of intentional, accidental and indirect misuse of privileges on desktops and servers in heterogeneous IT systems. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust’s PowerBroker suite of products to secure their enterprises.
Five of the top ten commercial banks and two of America’s largest private companies have adopted PowerBroker to secure guest operating systems and ESX hypervisors in a virtualized environment. For more information, visit www.beyondtrust.com.
BeyondTrust, the BeyondTrust logo and PowerBroker are trademarks or registered trademarks, in the United States and certain other countries of BeyondTrust Software. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.
Brian Anderson
BeyondTrust
(818) 575-4000
banderson@beyondtrust.com
Stefanie Cannon
Gutenberg Communications
(408) 335-6964
btprteam@gutenbergpr.com