Any logged-in unprivileged user can abuse an old bug in sudo to gain root privileges. It was rated as an important security issue for Linux and Unix-like operating systems. The Qualys research team has discovered the heap overflow vulnerability in sudo itself has been hiding in plain sight for nearly 10 years. The bug allows any local users to gain root access without authentication (no user’s password needed). We need to apply patches to our operating systems as soon as possible.
System administrators use the sudo command to grant specific user rights, such as restarting Nginx or restart Apache server for server management purposes. IT automation tools such as Ansible and others use sudo heavily too.
Critical bug in sudo puts Linux and Unix systems at risk
We have two critical sudo vulnerabilities:
- It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account. (CVE-2021-3156)
- It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not. (CVE-2021-23239)
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
From the blog post:
Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.
The problem can be corrected by updating your system to the following package versions.
Ubuntu and Debian Linux
You need to apply patched on Ubuntu version 16.04/18.04/20.04 LTS and 20.10 using the apt command/apt-get command:
sudo apt update
sudo apt upgrade
## or just install sudo upgrade ##
sudo apt install sudo
Open the terminal app and then run the following pacman command:
sudo pacman -Syu
:: Synchronizing package databases... core 134.3 KiB 163 KiB/s 00:01 [#####################] 100% extra 1650.4 KiB 2.07 MiB/s 00:01 [#####################] 100% community 5.3 MiB 8.55 MiB/s 00:01 [#####################] 100% :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (17) audit-3.0-1 bpytop-1.0.60-1 ca-certificates-mozilla-3.61-1 filesystem-2021.01.19-1 gnupg-2.2.27-1 go-2:1.15.7-1 iptables-1:1.8.7-1 krb5-1.18.3-1 libcap-2.47-1 libgcrypt-1.9.0-2 libnftnl-1.1.9-1 pam-1.5.1-1 sqlite-3.34.1-1 sudo-1.9.5.p2-1 tar-1.33-1 tzdata-2021a-1 zstd-1.4.8-1 Total Download Size: 138.39 MiB Total Installed Size: 604.42 MiB Net Upgrade Size: -0.05 MiB :: Proceed with installation? [Y/n]
Red Hat Enterprise Linux 8.x/7.x and CentOS and Fedora Linux
Suse and OpenSUSE Linux
I have not tested this, but you need to update FreeBSD port or pkg by running the following pkg command:
sudo pkg update
sudo pkg upgrade
Updating FreeBSD repository catalogue... Fetching packagesite.txz: 100% 6 MiB 3.2MB/s 00:02 Processing entries: 100% FreeBSD repository update completed. 30177 packages processed. All repositories are up to date. [root@nixcraft-m6700 ~]# pkg upgrade Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking for upgrades (1 candidates): 100% Processing candidates (1 candidates): 100% The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: sudo: 1.9.5p1 -> 1.9.5p2 Number of packages to be upgraded: 1 942 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching sudo-1.9.5p2.txz: 100% 942 KiB 964.4kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Upgrading sudo from 1.9.5p1 to 1.9.5p2... [1/1] Extracting sudo-1.9.5p2: 100% You may need to manually remove /usr/local/etc/sudoers if it is no longer needed.
Use the apk command to apply sudo update:
We have to wait for Apple to release an update.
All of these are old buffer overflown bugs in sudo that any local user can exploit without a password or authentication. Hence, you must apply fixes to get rid of a critical bug in sudo. I am going to look into the doas utility, which is the default on OpenBSD. Of course, we can install doas from ports on NetBSD or FreeBSD. There is a Linux port too.
🐧 7 comments so far... add one ↓
|Category||List of Unix and Linux commands|
|Disk space analyzers||df • ncdu • pydf|
|File Management||cat • tree|
|Firewall||Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04|
|Network Utilities||NetHogs • dig • host • ip • nmap|
|OpenVPN||CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04|
|Package Manager||apk • apt|
|Processes Management||bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time|
|Searching||grep • whereis • which|
|User Information||groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w|
|WireGuard VPN||Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04|