CYBERSECURITY BULLETIN – A vulnerability was recently announced – CVE-2021-3156 – in the program ‘Sudo’. The vulnerability allows a local, authenticated person the ability to gain administrative or system privileges. Qualys successfully demonstrated the vulnerability with their own proof of concept code. The Sudo program is available in most Linux distributions, making this a critical risk to mitigate.
Vulnerability is easily verified at the system command line. Directions for patching are available below in the Actions to Take section.
The Sudo utility is essentially on every Linux-based distribution, including Linux-based systems, such as Apple Macs. To exploit Sudo, a person must be logged in to the console, but as any normal user or even the account ‘nobody’.
Worse-Case Impact Scenario
A normal user can escalate their privileges with credentials. This results in an unauthorized user becoming root (administrator / superuser). A compromise of root privileges indicates a full breach of confidentiality, integrity, and availability of the system. Recovering may require rebuilding or restoring from a known-safe backup.
Actions To Take
Verify Vulnerability on a System
A Linux system is vulnerable and exploitable if the Sudo version is below 1.9.5p2. Steps to verify this vulnerability are straightforward, quick, and repeatable. Following are steps that can be done by any user, normal or an administrator:
- Run command “sudoedit -s /”
- If the system is vulnerable, an error appears starting with “sudoedit:”
- If the system is patched, the response starts with “usage:”
The vulnerability is removed by updating Sudo to the newest version, 1.9.5p2, available at https://www.sudo.ws/download.html. It’s advised to update immediately.
Qualys, which discovered the vulnerability, has written a technical analysis and exploit walkthrough. That write-up is available here: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Buster security advisory: https://lists.debian.org/debian-security-announce/2021/msg00020.html
Stretch security advisory: https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html