Security researchers at Qualys disclosed a bug in sudo, a standard Linux and Unix utility for handling administrative rights. Sudo is included in most, if not all, Unix and Linux based OSs and this vulnerability has been prevalent for almost 10 years. The flaw was introduced in a change made in July 2011, so it is present in sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1) in their default configuration. The Baron Samedit name is a play on Baron Samedi and sudoedit.

The flaw exists in the way sudo handles the backslash (\) character. Unix has traditionally allowed users to use the backslash to escape reserved characters to change their behavior. A bug in this code allows an attacker to partially bypass this behavior in a way that allows a heap overflow. By passing a carefully crafted set of arguments to sudo in combination with the -s or -i command line option, an attacker can use this flaw to gain privilege escalation.

Qualys has not released proof of concept code for this vulnerability and has stated they do not have any plans to do so.

What is the potential impact of CVE-2021-3156?

The successful exploitation of CVE-2021-3156 allows an attacker to gain root-level (administrative) access on Linux and Unix systems, even if the account has no rights granted via sudo. macOS Big Sur (x86_64 and aarch64) is also affected by this vulnerability by symlinking sudo to sudoedit, no patch has been released by Apple as of the time of this writing.




Sudo Vulnerability Mitigation

Officially, all versions of sudo from 1.8.2 to 1.8.31p2 and 1.90 to 19.5p1 are vulnerable. The most complete mitigation is patching to a newer version of sudo that does not contain the buffer overflow.

Linux distributions generally ship with the current stable version of standard utilities like sudo. Due to the timing of the flaw, Red Hat Enterprise Linux 7 and 8 are affected, but the older Red Hat Enterprise Linux 6 is not. The situation with other Linux distributions will be similar.

Linux vendors frequently will backport security fixes to older versions in order to minimize compatibility issues. Updating to the newest available version of sudo for the version of Linux or Unix you are running is the best course of action.

When logged directly into the system, the typical command to update sudo on Red Hat Linux and derivatives such as CentOS would be yum update sudo.

Embedded systems based on Linux will require a firmware update if they contain sudo. If a patch is not possible, Red Hat has released a partial mitigation. However, it requires installing a tool called systemtap and creating a script that disables the vulnerable part of sudo. Red Hat’s mitigation is detailed here.

Detecting CVE-2021-3156

Vulnerability Management:

  • Qualys has released QID 374891 to detect this vulnerability.
  • Tenable has released a total of 5 plugins to detect this vulnerability. You can find the specific plugin IDs at https://www.tenable.com/cve/CVE-2021-3156

Note these detections require an authenticated scan to work properly.

The results or plugin output section of your vulnerability scan may give additional details about mitigation.It is also possible to check the version manually by logging into a system and running the command sudo –version. This command works regardless of the specific type of Linux or Unix you are running.

deepwatch Actions

Sudo was auto-patched January 27, 2021 on deepwatch Linux instances and also any deepwatch customer Heavy Forwarder with yum-updates working.

Supporting Information

Subscribe to the deepwatch Insider Blog