infoSource is a cybersecurity newsletter. By subscribing to infoSource you will remain up-to-date on the latest in communication, computer and software cybersecurity issues.

Get back to patching day for... sudo(8) CVE-2021-3156

Most Linux distributions affected by a sudo(8) bug that allows privilege escalation to root

Announced today was CVE-2021-3156 a/k/a "Baron Samedit", a vulnerability to most default installations of sudo(8) prior to 1.9.5p2 on Linux, that may go back as far as 10 years.  Many Linux distributions are distributed with sudo(8) as a default install package.  The bug was discovered by the Qualys team about two weeks ago and patches were released starting today.

The vulnerability results from a heap-based buffer overflow that can be exploited from the command line by an low-privileged user compromised by an attacker.  In this case your layers of security matter.  Access of all accounts should be scrutinized, particularly low-privileged account access, which can be leveraged to escalate privileges to devastating effect.  The Sudo team released a simple explanation of the vulnerability.

What's different about this vulnerability, when compared to CVE-2019-14287 a/k/a -1 UID bug and CVE-2019-18634 a/k/a pwdfeedback, is that the vulnerability does not require an esoteric or specialized sudo configuration, the only thing that is required is the basic package installation, including /etc/sudoers.  This is a bad one.  Patching should be expedited as it shouldn't have a huge impact on operations.  Additionally, an audit the use of low-privileged accounts and the access and authorization controls for those accounts is also in order.  Perform this audit to catalog and understand which applications are using low-privileged accounts that may be exposed to external attack and compromise and the potential for vertical escalation of privileges.

Video - Qualys demonstrates the Baron Samedit exploit

In this video the Qualys team demonstrates exploitation of the bug CVE-2021-3156 with a quick couple of compiles, the exploit and a library, and a command line execution that iterates the exploit until the root shell is obtained.  Essentially, this vulnerability means that if /etc/sudoers is present (facilitating the exploit via "sudoedit -s") you've got pathway to privilege escalation to root.

Stay safe, scan, patch, repeat.  Subscribe

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

National Data Privacy Day - January 28, 2021
Deception Is The Way Of War

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 22 July 2024

Contact Me


1309 S Street S.E., Washington, DC, 20020
00 1 202-276-8641

Send Me a Message

Contact Me