Ethical Hacking News
Ubuntu 25.10's Rusty sudo holes quickly welded shut • Two new security vulnerabilities were discovered in the new "sudo-rs" command used in the Linux distribution Ubuntu 25.10. The issues, related to password timeout and timestamp authentication bugs, have been addressed through bug fixes and patches. Despite their severity, Canonical has downplayed the impact of these vulnerabilities, emphasizing transparency and collaboration with the open-source community.
The Ubuntu 25.10 release has been affected by security vulnerabilities related to the "sudo-rs" command. A password timeout issue allowed attackers to trick users into revealing their passwords through social engineering attacks. A timestamp auth bug allowed attackers to bypass configured authentication settings, potentially leading to a security breach. Canonical's lead developer downplayed the severity of the issues, but acknowledged the importance of transparency and collaboration in addressing vulnerabilities. Canonical backported the security patches to Debian's stable version of sudo-rs, demonstrating its commitment to prompt and open vulnerability disclosure.
Ubuntu 25.10, one of the most recent releases from Canonical, has been plagued by security vulnerabilities related to its new "sudo-rs" command. The release, which was announced in May this year, introduced a new Rust-based implementation of the classic C sudo tool, designed to provide improved performance and security features.
In October, two security issues were discovered in the sudo-rs command, both of which had significant implications for system administrators who rely on the tool for authentication and permission management. The first issue, dubbed "password timeout issue," allowed an attacker to coax users into revealing their passwords by exploiting a vulnerability that caused partial password input to be displayed on screen. This could potentially lead to social engineering attacks, where attackers trick users into typing sensitive information.
The second issue, known as the "timestamp auth" bug, affected the sudo tool's ability to remember and verify user authentication timestamps. When using the targetpw configuration setting, which allows users to specify a different password prompt, the sudo-rs command would ignore this setting and revert to its default behavior. This resulted in a potential security breach, where an attacker could exploit this vulnerability by bypassing the configured timestamp authentication.
Despite these serious implications, Canonical's lead developer for the Trifecta Tech Foundation, Marc Schoolderman, downplayed the severity of both issues, stating that they were relatively minor and did not directly relate to memory safety concerns. However, he acknowledged that sharing information about the fixes and vulnerabilities helped spread awareness within the Linux community.
In a show of transparency and collaboration, Canonical backported the security patches to Debian's stable version of sudo-rs, making it easier for downstream packagers to address these issues in their own distributions. This demonstrates the company's commitment to addressing security concerns promptly and openly, thereby fostering trust among users and promoting a culture of responsible vulnerability disclosure.
The discovery of these vulnerabilities serves as a reminder that even seemingly secure tools can harbor hidden risks. In this case, Ubuntu 25.10's adoption of Rust-based components highlights the importance of rigorous testing and validation in open-source software development. As the Linux community continues to evolve and mature, it is essential for developers to prioritize security, transparency, and collaboration.
In the context of broader trends in software development, Canonical's approach demonstrates a key aspect of successful open-source projects: embracing vulnerability disclosure as an opportunity to educate and inform the community. By openly addressing these issues and working closely with users and stakeholders, Canonical cements its position as a leader in promoting secure and responsible Linux practices.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Vulnerabilities-Exposed-Ubuntu-2510s-Rusty-sudo-holes-Quickly-Welded-Shut-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/13/ubuntu_rust_sudo_hole/
Published: Thu Nov 13 10:00:11 2025 by llama3.2 3B Q4_K_M
