Linux/Unix/BSD/macOS: Critical sudo vulnerability grants root privileges to local attackers [for IT staff]. Buffer overflow with sudo - Please update as soon as possible!
The ten-year-old vulnerability CVE-2021-3156 allows local attackers to gain root privileges via sudo without sudo permissions.
Security firm Qualsys has found a vulnerability in “sudo” that allows local users – even without sudo permissions! – to gain root rights with a simple command. The vulnerability, also called “Baron Samedit” by Qualys, has been assigned the ID CVE-2021-3156.
According to Qualys, the security problem has existed since July 2011 and affects older sudo versions from 1.8.2 to 1.8.31p2 as well as current versions from 1.9.0 to 1.9.5p1 – in each case in the default configuration. In practice, this means that all current versions of Linux distributions and BSDs that use sudo should be affected. Several distributions have provided updated packages, which users should install as soon as possible. sudo 1.9.5p2 is secured.
CVE-2021-3156 is based on flaws in sudo command parsing that can cause a heap-based buffer overflow. The exploit is described as being based on entering the command “sudoedit -s” followed by a special command line argument ending in a single backslash.
Details can be found here:
- Qualys Security Advisory (full attack description and PoC) https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
- Qualys blog entry: Heap-Based Buffer Overflow in Sudo https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
- CVE-2021-3156: Entry in the National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-3156
According to Qualys, to test your system for vulnerability, after logging in without root privileges, you can try running the command “sudoedit -s /” (not a backslash as in the video). If the system is vulnerable, an error is displayed that begins with “sudoedit:”. If it is not vulnerable, an error message is also displayed – but with “usage:” at the beginning.
Current information from various distributions and manufacturers can be found here, among other places:
- Amazon Linux Security Center https://alas.aws.amazon.com/
- Arch Linux Advisory on CVE-2021-3156 https://security.archlinux.org/CVE-2021-3156
- Debian Security Tracker https://security-tracker.debian.org/tracker/CVE-2021-3156
- Fedora 33 Update: sudo-1.9.5p2-1.fc33 https://email@example.com/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/
- FreeBSD bug tracker entry https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253034
- Gentoo LInux Advisory https://security.gentoo.org/glsa/202101-33
- openSUSE Leap (15.1 https://linuxsecurity.com/advisories/opensuse/opensuse-2021-0169-1-important-sudo-07-16-55 / 15.2 https://linuxsecurity.com/advisories/opensuse/opensuse-2021-0170-1-important-sudo-07-15-35)
- Red Hat Customer Portal: RHEL Updates https://access.redhat.com/security/cve/CVE-2021-3156
- SUSE Products https://www.suse.com/support/kb/doc/?id=000019841
- Ubuntu updates for CVE-2021-3156 https://ubuntu.com/security/CVE-2021-3156
- QNAP: Advisory for NAS (disable SSH and Telnet if not needed) https://www.qnap.com/en/security-advisory/qsa-21-02