According to the security researchers at Qualys, the vulnerability has been hiding in plain sight for almost a decade, tracing back to July 2011. It affects all legacy versions of Sudo from 1.8.2 to 1.8.31p2, and all stable builds from 1.9.0 to 1.9.5p1.
"Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2)," Qualys stated in a blog post.
The researchers do not believe it is limited to just those OSes, and says other distributions are also likely to be exploitable as well, in their default configurations.
Researchers have given the exploit the name Baron Samedit. Here is a video of it in action...
What this boils down to is a bug in the Sudo code, when it is executed to run a command in shell mode (shell -c command). According to Sudo project lead Todd Miller, the bug can be leveraged to elevate privileges to root even if the user is not listed in the Sudoers file—no user authentication is required to exploit the bug, making this fairly serious.
Here is what he had to say on the matter...
"When Sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The Sudoers policy plugin will then remove the escape characters from the arguments before evaluating the Sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode.
A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command's arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run Sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sSudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable."
Qualys says given the breadth of the attack surface for Baron Samedit, affected users should apply patches immediately.