[SA-0009] - sudo Privledge Esclation
Dear Valued Sippy Customer,
A security vulnerability was reported in the FreeBSD operating system. Two significant vulnerabilities were identified in Linux and Mac OS systems allowing local users to quickly esclate privledges, disable security measures, and move deeper into the network. Those vulnerabilities are detailed below. A patched version of sudo will be available to to be rolled out as early as July 21st, 2025 to our Customers. Please contact our support team to schedule an update.
A closer look at each vulnerability
CVE-2025-32462 — “Policy-Check Flaw”
The -h / –host option in sudo was intended only for sudo -l (listing privileges). In affected versions, it could be added to any command. This tricked sudo into thinking it was on a permitted host, allowing someone with even minimal sudo access to run commands as root, bypassing host-specific rules.
The fix ensures -h is rejected unless used with -l.
CVE-2025-32463 — “chroot to root”
This issue involves sudo’s -R / –chroot option. Older versions would switch into the specified directory before fully evaluating privileges. An attacker could prepare a writable directory (for example under /tmp), place a fake /etc/nsswitch.conf and a malicious libnss_*.so library there, and then invoke sudo. Sudo would load the attacker’s code as root.
The latest sudo release disables this chroot behavior during policy checks.
Affected Versions and Resolution Plan
We have outlined who and what steps are needed for our customers to address this security concern. The corrective steps will depend on what version of software you are using as well as the signalling package that is currently in use. The table below will outline that for you.
| Product | Version | Resolution Plan |
|---|---|---|
| Sippy Softswitch | 2020 | update to the latest Sippy Softswitch 2021 |
| Sippy Softswitch | 2021 | Update to the latest Sippy Softswitch 2021 |
| Sippy Softswitch | 2022 | Update to the latest Sippy Softswitch 2022 |
| Sippy Softswitch | 2023 | Update to the latest Sippy Softswitch 2023 |
| Sippy Freightswitch | Testing | Update to the latest Version |
Next steps
Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v2020 or earlier or do not currently have a support agreement are directed to contact sales@sippysoft.com for further instructions.
Sincerely,
Phillip Ma
Product Manager
Sippy Software.