Any logged-in unprivileged user can abuse an old bug in sudo to gain root privileges. It was rated as an important security issue for Linux and Unix-like operating systems. The Qualys research team has discovered the heap overflow vulnerability in sudo itself has been hiding in plain sight for nearly 10 years. The bug allows any local users to gain root access without authentication (no user’s password needed). We need to apply patches to our operating systems as soon as possible.
System administrators use the sudo command to grant specific user rights, such as restarting Nginx or restart Apache server for server management purposes. IT automation tools such as Ansible and others use sudo heavily too.
Critical bug in sudo puts Linux and Unix systems at risk
We have two critical sudo vulnerabilities:
- It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account. (CVE-2021-3156)
- It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not. (CVE-2021-23239)
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
From the blog post:
Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.
Mitigation
The problem can be corrected by updating your system to the following package versions.
Ubuntu and Debian Linux
You need to apply patched on Ubuntu version 16.04/18.04/20.04 LTS and 20.10 using the apt command/apt-get command:
sudo apt update
sudo apt upgrade
## or just install sudo upgrade ##
sudo apt install sudo
sudo --version
Fixing heap-based buffer overflow in Sudo on Ubuntu Linux desktop
Arch Linux
Open the terminal app and then run the following pacman command:
sudo pacman -Syu
:: Synchronizing package databases... core 134.3 KiB 163 KiB/s 00:01 [#####################] 100% extra 1650.4 KiB 2.07 MiB/s 00:01 [#####################] 100% community 5.3 MiB 8.55 MiB/s 00:01 [#####################] 100% :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (17) audit-3.0-1 bpytop-1.0.60-1 ca-certificates-mozilla-3.61-1 filesystem-2021.01.19-1 gnupg-2.2.27-1 go-2:1.15.7-1 iptables-1:1.8.7-1 krb5-1.18.3-1 libcap-2.47-1 libgcrypt-1.9.0-2 libnftnl-1.1.9-1 pam-1.5.1-1 sqlite-3.34.1-1 sudo-1.9.5.p2-1 tar-1.33-1 tzdata-2021a-1 zstd-1.4.8-1 Total Download Size: 138.39 MiB Total Installed Size: 604.42 MiB Net Upgrade Size: -0.05 MiB :: Proceed with installation? [Y/n]
Red Hat Enterprise Linux 8.x/7.x and CentOS and Fedora Linux
Type dnf command or yum command to fix bug on RHEL 7.x/8.x and Fedora Linux:
sudo dnf update
Suse and OpenSUSE Linux
SUSE enterprise Linux version 12.x and 15.x are affected too. For example we can use the zypper command:
sudo zypper lp -a | grep -i sudo
sudo zypper up
FreeBSD
I have not tested this, but you need to update FreeBSD port or pkg by running the following pkg command:
sudo pkg update
sudo pkg upgrade
Updating FreeBSD repository catalogue... Fetching packagesite.txz: 100% 6 MiB 3.2MB/s 00:02 Processing entries: 100% FreeBSD repository update completed. 30177 packages processed. All repositories are up to date. [root@nixcraft-m6700 ~]# pkg upgrade Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking for upgrades (1 candidates): 100% Processing candidates (1 candidates): 100% The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: sudo: 1.9.5p1 -> 1.9.5p2 Number of packages to be upgraded: 1 942 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching sudo-1.9.5p2.txz: 100% 942 KiB 964.4kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Upgrading sudo from 1.9.5p1 to 1.9.5p2... [1/1] Extracting sudo-1.9.5p2: 100% You may need to manually remove /usr/local/etc/sudoers if it is no longer needed.
Alpine Linux
Use the apk command to apply sudo update:
apk update
apk upgrade
macOS
We have to wait for Apple to release an update.
Summing up
All of these are old buffer overflown bugs in sudo that any local user can exploit without a password or authentication. Hence, you must apply fixes to get rid of a critical bug in sudo. I am going to look into the doas utility, which is the default on OpenBSD. Of course, we can install doas from ports on NetBSD or FreeBSD. There is a Linux port too.
🐧 7 comments so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
when will Apply release update? I am only user on my MacBook pro. Can anyone exploit the bug remotly?
No. It is a local bug. Apple will take some time to push updates. Do not create a user account and grant ssh access to anyone on your Mac.
They need to get dosa package on Linux. Get rid of sudo. It is too risky.
Is OPNsense affected by sudo bug? please tell me
yes, update your firmware.
SUSE Enterprise Linux and OpenSUSE user can run the following commands to see when sudo last updated or installed[1]
cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd " | grep sudo
Get status for sudo and it should be up-to-date
Verify all patches have been applied for sudo CVEs for a bug or security vulnerabilities:
zypper info sudo
rpm -q --changelog sudo | more
zypper lp -a --cve=CVE-2021-3156,CVE-2021-23239,CVE-2021-23240
My system:
[1] https://www.suse.com/c/zypper-equivalent-of-rug-history-command/
Older sudo version on macOS:
My updated version on macOS after applying all updates from settings menu and I am using macOS version 11.2.1