Linux: Bug in Sudo allows privilege escalation

[German]Security researchers at Qualsys have discovered a vulnerability (CVE-2021-3156) in the BSD/Linux Sudo command. Due to a heap overflow, attackers with normal privileges could achieve privilege escalation to root. However, updates for the vulnerability are now available from major Linux distributions.


Advertising

I became aware of the vulnerability a few hours ago via the following tweet from Qualsys, which is described in more detail in this blog post.

Linux Sudo-Schwachstelle CVE-2021-3156

The command sudo stands for SuperUser do and is used or Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. To do this, however, the user must know the password of the account used to execute the process. Some admins removes sudo for security reasons from their systems.

The Qualys research team has discovered a heap overflow vulnerability (CVE-20213156, Baron Samedit) in sudo, a nearly ubiquitous utility available on major Unix-like operating systems. Any unprivileged user can gain root privileges on a vulnerable host with a standard sudo configuration by exploiting this vulnerability.

Qualys security researchers were able to independently verify the vulnerability and develop multiple variants of the exploit and gain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27) and Fedora 33 (Sudo 1.9.2). It is likely that other operating systems and distributions are exploitable as well.


Advertising

The vulnerability itself has existed undiscovered for almost 10 years and was introduced in July 2011 (commit 8255ed69). Therefore, the vulnerability affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration. Qualsys has notified the developers of Sudo. The vulnerability has been fixed in sudo 1.9.5p2, and updates should be available for major Linux distributions.

To test if your system is vulnerable, you need to log in as a non-root user and run the command "sudoedit -s /". Vulnerable systems will print an error starting with "sudoedit:", while patched systems will display an error starting with "usage:". More details and a video can be found in this article.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Linux, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *