Announced today was CVE-2021-3156 a/k/a "Baron Samedit", a vulnerability to most default installations of sudo(8) prior to 1.9.5p2 on Linux, that may go back as far as 10 years. Many Linux distributions are distributed with sudo(8) as a default install package. The bug was discovered by the Qualys team about two weeks ago and patches were released starting today.
The vulnerability results from a heap-based buffer overflow that can be exploited from the command line by an low-privileged user compromised by an attacker. In this case your layers of security matter. Access of all accounts should be scrutinized, particularly low-privileged account access, which can be leveraged to escalate privileges to devastating effect. The Sudo team released a simple explanation of the vulnerability.
What's different about this vulnerability, when compared to CVE-2019-14287 a/k/a -1 UID bug and CVE-2019-18634 a/k/a pwdfeedback, is that the vulnerability does not require an esoteric or specialized sudo configuration, the only thing that is required is the basic package installation, including /etc/sudoers. This is a bad one. Patching should be expedited as it shouldn't have a huge impact on operations. Additionally, an audit the use of low-privileged accounts and the access and authorization controls for those accounts is also in order. Perform this audit to catalog and understand which applications are using low-privileged accounts that may be exposed to external attack and compromise and the potential for vertical escalation of privileges.
In this video the Qualys team demonstrates exploitation of the bug CVE-2021-3156 with a quick couple of compiles, the exploit and a library, and a command line execution that iterates the exploit until the root shell is obtained. Essentially, this vulnerability means that if /etc/sudoers is present (facilitating the exploit via "sudoedit -s") you've got pathway to privilege escalation to root.
Stay safe, scan, patch, repeat. Subscribe
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.