We have become aware of a vulnerability in the Sudo component of the Linux operating system which would allow a regular user to gain super user (root) privileges. We are classifying this as a critical vulnerability. The risks are that valid users can exploit the vulnerability to gain unauthorized access rights, or a hacker that compromises any regular user’s login credentials can gain super user privileges.
“This vulnerability is perhaps the most significant sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years,” said Mehul Revankar, Vice President Product Management and Engineering, Qualys, VMDR, and noted that there are likely to be millions of assets susceptible to it.
About the vulnerability (CVE-2021-3156)
Also dubbed Baron Samedit (a play on Baron Samedi and sudoedit), the heap-based buffer overflow flaw is present in sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1) in their default configuration.
“When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode,” sudo maintainer Todd C. Miller explained.
“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
Qualys researchers, who unearthed and reported CVE-2021-3156, have provided additional technical details and instructions on how users can verify whether they have a vulnerable version.
They developed several exploit variants that work on Ubuntu 20.04, Debian 10, and Fedora 33, but won’t be sharing the exploit code publicly. “Other operating systems and distributions are also likely to be exploitable,” they pointed out.
Fixes are available
The bug has been fixed in sudo 1.9.5p2, downloadable from here.
Patched vendor-supported version have been provided by Ubuntu, RedHat, Debian, Fedora, Gentoo, and others.
Though it only allows escalation of privilege and not remote code execution, CVE-2021-3156 could be leveraged by attackers who look to compromise Linux systems and have already managed to get access (e.g., through brute force attacks).
Quick Links for rpm:
Centos 5 - 32 bits sudo rpm