Get back to patching day for... sudo(8) CVE-2021-3156

Announced today was CVE-2021-3156 a/k/a "Baron Samedit", a vulnerability to most default installations of sudo(8) prior to 1.9.5p2 on Linux, that may go back as far as 10 years.  Many Linux distributions are distributed with sudo(8) as a default install package.  The bug was discovered by the Qualys team about two weeks ago and patches were released starting today.

The vulnerability results from a heap-based buffer overflow that can be exploited from the command line by an low-privileged user compromised by an attacker.  In this case your layers of security matter.  Access of all accounts should be scrutinized, particularly low-privileged account access, which can be leveraged to escalate privileges to devastating effect.  The Sudo team released a simple explanation of the vulnerability.

What's different about this vulnerability, when compared to CVE-2019-14287 a/k/a -1 UID bug and CVE-2019-18634 a/k/a pwdfeedback, is that the vulnerability does not require an esoteric or specialized sudo configuration, the only thing that is required is the basic package installation, including /etc/sudoers.  This is a bad one.  Patching should be expedited as it shouldn't have a huge impact on operations.  Additionally, an audit the use of low-privileged accounts and the access and authorization controls for those accounts is also in order.  Perform this audit to catalog and understand which applications are using low-privileged accounts that may be exposed to external attack and compromise and the potential for vertical escalation of privileges.