By Eric D. Williams on Wednesday, 27 January 2021
Category: Vulnerabilities

Get back to patching day for... sudo(8) CVE-2021-3156

Most Linux distributions affected by a sudo(8) bug that allows privilege escalation to root

Announced today was CVE-2021-3156 a/k/a ​"Baron Samedit", a vulnerability to most default installations of sudo(8) prior to 1.9.5p2 on Linux, that may go back as far as 10 years.  Many Linux distributions are distributed with sudo(8) as a default install package.  The bug was discovered by the Qualys team about two weeks ago and patches were released starting today.

The vulnerability results from a heap-based buffer overflow that can be exploited from the command line by an low-privileged user compromised by an attacker.  In this case your layers of security matter.  Access of all accounts should be scrutinized, particularly low-privileged account access, which can be leveraged to escalate privileges to devastating effect.  The Sudo team released a simple explanation of the vulnerability.

What's different about this vulnerability, when compared to CVE-2019-14287 a/k/a -1 UID bug and CVE-2019-18634 a/k/a pwdfeedback, is that the vulnerability does not require an esoteric or specialized sudo configuration, the only thing that is required is the basic package installation, including /etc/sudoers.  This is a bad one.  Patching should be expedited as it shouldn't have a huge impact on operations.  Additionally, an audit the use of low-privileged accounts and the access and authorization controls for those accounts is also in order.  Perform this audit to catalog and understand which applications are using low-privileged accounts that may be exposed to external attack and compromise and the potential for vertical escalation of privileges.

Video - Qualys demonstrates the Baron Samedit exploit

​In this video the Qualys team demonstrates exploitation of the bug CVE-2021-3156 with a quick couple of compiles, the exploit and a library, and a command line execution that iterates the exploit until the root shell is obtained.  Essentially, this vulnerability means that if /etc/sudoers is present (facilitating the exploit via "sudoedit -s") you've got pathway to privilege escalation to root.

Stay safe, scan, patch, repeat.  Subscribe

Related Posts

Leave Comments