CVE-2019-14287: Local Bypass of Runas User Restrictions

This vulnerability could allow a malicious user or application to call an invalid user account in certain linux configurations and run commands as root using the sudo function.

To quote hackernews:

"So, in a specific scenario where you have been allowed to run a specific, or any, command as any other user except the root, the vulnerability could still allow you to bypass this security policy and take complete control over the system as root."

Also, as researcher @warnvod on twitter points out:

"This does not affect you if:

- Your users are not allowed to sudo

- Your users are allowed to sudo to root

- Your users are only allowed to sudo as non-root to non-potentially-damaging software (say "id" instead of something like "rm" or "bash")"

Tenable will be releasing plugins ASAP for users to scan their linux assets to identify hosts running vulnerable versions, and a live list of plugins can be found on our plugin search page here as they're released to our plugin feed.