Sudo vulnerability allows attackers to gain root privileges on Linux systems (CVE-2021-3156)
A vulnerability (CVE-2021-3156) in sudo, a powerful and near-ubiquitous open-source utility used on major Linux and Unix-like operating systems, could allow any unprivileged local user to gain root privileges on a vulnerable host (without authentication).
“This vulnerability is perhaps the most significant sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years,” said Mehul Revankar, Vice President Product Management and Engineering, Qualys, VMDR, and noted that there are likely to be millions of assets susceptible to it.
About the vulnerability (CVE-2021-3156)
Also dubbed Baron Samedit (a play on Baron Samedi and sudoedit), the heap-based buffer overflow flaw is present in sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1) in their default configuration.
“When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode,” sudo maintainer Todd C. Miller explained.
“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
Qualys researchers, who unearthed and reported CVE-2021-3156, have provided additional technical details and instructions on how users can verify whether they have a vulnerable version.
They developed several exploit variants that work on Ubuntu 20.04, Debian 10, and Fedora 33, but won’t be sharing the exploit code publicly. “Other operating systems and distributions are also likely to be exploitable,” they pointed out.
Fixes are available
The bug has been fixed in sudo 1.9.5p2, downloadable from here.
Patched vendor-supported version have been provided by Ubuntu, RedHat, Debian, Fedora, Gentoo, and others.
Though it only allows escalation of privilege and not remote code execution, CVE-2021-3156 could be leveraged by attackers who look to compromise Linux systems and have already managed to get access (e.g., through brute force attacks).
UPDATE (February 3, 2021, 01:10 a.m. PT):
Hacker House co-founder Matthew Hickey discovered that macOS Big Sur comes with sudo and is vulnerable – a fact that has been confirmed by Will Dormann, a vulnerability analyst at the CERT/CC.
IBM AIX, a series of proprietary Unix operating systems developed by IBM for some of its computer platforms, is also affected.
Cisco is investigating which of its products may be affected by this vulnerability and continuously updating this security advisory with the findings.
UPDATE (February 10, 2021, 01:10 a.m. PT):
Apple has released updates for macOS Big Sur, macOS Catalina and macOS Mojave that fix the sudo flaw (by updating to sudo version 1.9.5p2).