Using the ten-year-old vulnerability CVE-2021-3156, local attackers can gain root rights via sudo without sudo permissions. There are Linux and BSD updates.
On Unix-like operating systems, the sudo command enables certain commands to be executed with the rights of another user, for example those of the superuser root. Now employees of the IT security company Qualys have found a security hole in sudo that could be exploited by any local attacker to gain root privileges without authentication. According to Qualys, no sudo permissions are required for this.
The vulnerability, also known as “Baron Samedit” by Qualys, has been assigned ID CVE-2021-3156. An article on the Red Hat Customer Portal called the CVSS score 7.0 (“High”); the Arch Linux developers, in turn, rate the gap as critical. According to Qualys, the security problem has existed since July 2011 and affects older sudo versions from 1.8.2 to 1.8.31p2 and current versions from 1.9.0 to 1.9.5p1 – each in the standard configuration . In practice this means that all current versions of Linux distributions and BSDs that use sudo should be affected. Several distributions have provided updated packages that users should install as soon as possible.sudo 1.9.5p2 is secured .
Attack details
CVE-2021-3156 is based on errors parsing sudo command inputs that can cause a heap-based buffer overflow. The exploit is described as being based on entering the command “sudoedit -s” followed by a special command-line argument ending in a single backslash. In tests on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), the research team obtained root rights in each case.
Qualys has published both a detailed description of the exploit and a video demonstrating the attack.
- Qualys Security Advisory (full attack description and PoC)
- Qualys blog entry: Heap-Based Buffer Overflow in Sudo
- CVE-2021-3156: Entry in the National Vulnerability Database
Security updates available
Linux and BSD users should keep an eye out for security advisories related to CVE-2021-3156 as well as new sudo packages. Current information from various distributions can be found here:
