Critical bug in sudo puts Linux and Unix systems at risk

heap based sudo bug
Any logged-in unprivileged user can abuse an old bug in sudo to gain root privileges. It was rated as an important security issue for Linux and Unix-like operating systems. The Qualys research team has discovered the heap overflow vulnerability in sudo itself has been hiding in plain sight for nearly 10 years. The bug allows any local users to gain root access without authentication (no user’s password needed). We need to apply patches to our operating systems as soon as possible.

System administrators use the sudo command to grant specific user rights, such as restarting Nginx or restart Apache server for server management purposes. IT automation tools such as Ansible and others use sudo heavily too.

Critical bug in sudo puts Linux and Unix systems at risk

We have two critical sudo vulnerabilities:

  1. It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account. (CVE-2021-3156)
  2. It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not. (CVE-2021-23239)

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

From the blog post:

Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.

Mitigation

The problem can be corrected by updating your system to the following package versions.

Ubuntu and Debian Linux

You need to apply patched on Ubuntu version 16.04/18.04/20.04 LTS and 20.10 using the apt command/apt-get command:
sudo apt update
sudo apt upgrade
## or just install sudo upgrade ##
sudo apt install sudo
sudo --version

Fixing heap-based buffer overflow in Sudo on Ubuntu Linux desktop

For the stable Debian distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u3. Hence run above commands on Debian too.

Arch Linux

Open the terminal app and then run the following pacman command:
sudo pacman -Syu

:: Synchronizing package databases...
 core                  134.3 KiB   163 KiB/s 00:01 [#####################] 100%
 extra                1650.4 KiB  2.07 MiB/s 00:01 [#####################] 100%
 community               5.3 MiB  8.55 MiB/s 00:01 [#####################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
 
Packages (17) audit-3.0-1  bpytop-1.0.60-1  ca-certificates-mozilla-3.61-1
              filesystem-2021.01.19-1  gnupg-2.2.27-1  go-2:1.15.7-1
              iptables-1:1.8.7-1  krb5-1.18.3-1  libcap-2.47-1
              libgcrypt-1.9.0-2  libnftnl-1.1.9-1  pam-1.5.1-1
              sqlite-3.34.1-1  sudo-1.9.5.p2-1  tar-1.33-1  tzdata-2021a-1
              zstd-1.4.8-1
 
Total Download Size:   138.39 MiB
Total Installed Size:  604.42 MiB
Net Upgrade Size:       -0.05 MiB
 
:: Proceed with installation? [Y/n]

Red Hat Enterprise Linux 8.x/7.x and CentOS and Fedora Linux

Type dnf command or yum command to fix bug on RHEL 7.x/8.x and Fedora Linux:
sudo dnf update

Suse and OpenSUSE Linux

SUSE enterprise Linux version 12.x and 15.x are affected too. For example we can use the zypper command:
sudo zypper lp -a | grep -i sudo
sudo zypper up

FreeBSD

I have not tested this, but you need to update FreeBSD port or pkg by running the following pkg command:
sudo pkg update
sudo pkg upgrade

Updating FreeBSD repository catalogue...
Fetching packagesite.txz: 100%    6 MiB   3.2MB/s    00:02    
Processing entries: 100%
FreeBSD repository update completed. 30177 packages processed.
All repositories are up to date.
[root@nixcraft-m6700 ~]# pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
The following 1 package(s) will be affected (of 0 checked):
 
Installed packages to be UPGRADED:
	sudo: 1.9.5p1 -> 1.9.5p2
 
Number of packages to be upgraded: 1
 
942 KiB to be downloaded.
 
Proceed with this action? [y/N]: y
[1/1] Fetching sudo-1.9.5p2.txz: 100%  942 KiB 964.4kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Upgrading sudo from 1.9.5p1 to 1.9.5p2...
[1/1] Extracting sudo-1.9.5p2: 100%
You may need to manually remove /usr/local/etc/sudoers if it is no longer needed.

Alpine Linux

Use the apk command to apply sudo update:
apk update
apk upgrade

macOS

We have to wait for Apple to release an update.

Summing up

All of these are old buffer overflown bugs in sudo that any local user can exploit without a password or authentication. Hence, you must apply fixes to get rid of a critical bug in sudo. I am going to look into the doas utility, which is the default on OpenBSD. Of course, we can install doas from ports on NetBSD or FreeBSD. There is a Linux port too.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 7 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • Carl6 Jan 28, 2021 @ 5:46

    when will Apply release update? I am only user on my MacBook pro. Can anyone exploit the bug remotly?

    • 🐧 Vivek Gite Jan 31, 2021 @ 6:18

      No. It is a local bug. Apple will take some time to push updates. Do not create a user account and grant ssh access to anyone on your Mac.

  • Ashish Jan 29, 2021 @ 19:06

    They need to get dosa package on Linux. Get rid of sudo. It is too risky.

  • Guru Jan 30, 2021 @ 18:42

    Is OPNsense affected by sudo bug? please tell me

  • Gisela Jan 31, 2021 @ 16:43

    SUSE Enterprise Linux and OpenSUSE user can run the following commands to see when sudo last updated or installed[1]
    cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd " | grep sudo

    2020-02-01 16:53:27 | install | sudo | 1.8.22-lp151.5.3.1
    2020-02-27 05:06:50 | install | sudo | 1.8.22-lp151.5.6.1
    2020-07-08 17:05:07 | install | sudo | 1.8.22-lp152.7.17
    2020-07-08 17:06:55 | install | yast2-sudo | 4.2.3-lp152.1.1
    2020-11-28 12:18:04 | install | sudo | 1.8.22-lp152.8.3.1
    2021-01-27 11:10:17 | install | sudo | 1.8.22-lp152.8.6.1
    

    Get status for sudo and it should be up-to-date

    zypper info sudo | grep -i ^status
    Status         : up-to-date

    Verify all patches have been applied for sudo CVEs for a bug or security vulnerabilities:
    zypper info sudo
    rpm -q --changelog sudo | more
    zypper lp -a --cve=CVE-2021-3156,CVE-2021-23239,CVE-2021-23240

    My system:

    Loading repository data...
    Reading installed packages...
    
    The following matches in issue numbers have been found:
    
    Issue | No.            | Patch             | Category | Severity  | Interactive | Status  | Since      | Summary
    ------+----------------+-------------------+----------+-----------+-------------+---------+------------+-------------------------
    cve   | CVE-2021-23239 | openSUSE-2021-170 | security | important | ---         | applied | 2021-01-27 | Security update for sudo
    cve   | CVE-2021-23240 | openSUSE-2021-170 | security | important | ---         | applied | 2021-01-27 | Security update for sudo
    cve   | CVE-2021-3156  | openSUSE-2021-170 | security | important | ---         | applied | 2021-01-27 | Security update for sudo
    
    

    [1] https://www.suse.com/c/zypper-equivalent-of-rug-history-command/

  • Methai Feb 16, 2021 @ 15:55

    Older sudo version on macOS:

    Sudo version 1.8.31
    Sudoers policy plugin version 1.8.31
    Sudoers file grammar version 46
    Sudoers I/O plugin version 1.8.31
    

    My updated version on macOS after applying all updates from settings menu and I am using macOS version 11.2.1

    Sudo version 1.9.5p2
    Sudoers policy plugin version 1.9.5p2
    Sudoers file grammar version 48
    Sudoers I/O plugin version 1.9.5p2
    Sudoers audit plugin version 1.9.5p2
    

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum