Sudo and CVE-2021-3156
Sudo stands for SuperUser DO and is used to access restricted files and operations. By default, Linux restricts access to certain parts of the system preventing sensitive files from being compromised. Using sudo instead of login in as root is more secure because you can grant limited administrative privileges to individual users without them knowing the root password.
The sudo package is pre-installed on most Linux distributions. If sudo is not installed you can easily install it using the package manager of your distro:
The file /etc/sudoers contains a list of users or user groups with permission to execute a subset of commands while having the privileges of the root user or another specified user. The program may be configured to require a password.
Here you can check your Installed and Candidate sudo version:
and here the command to update your sudo version:
A new severe vulnerability was found in Unix and Linux operating systems that allows an unprivileged user to exploit this vulnerability using sudo, causing a heap overflow to elevate privileges to root without authentication, or even get listed in the sudoers file.
It is also possible to test if the machine is available using the following command:
If you receive a usage or error message, sudo is not vulnerable.
The fun fact is that the vulnerability has been available in clear for almost 10 years.
The researcher Baron Samedit discovered that:
Executing sudo in “shell” mode (shell -c command)
Using the sudoedit command with the options -s (MODE_SHELL flag) or -i (MODE_SHELL and MODE_LOGIN_SHELL flags)
It’s possible to escape special characters in the command’s arguments using a backslash at the end.
From an attacker perspective, this buffer overflow vulnerability allows the attacker to control the size of the buffer, and control the contents (using null bytes if necessary) of the overflow itself. This is what enables the malicious user to execute custom code on the host with root privileges.
Patched vendor-supported version have been provided by Ubuntu, RedHat, Debian, Fedora, Gentoo, and others.
Though it only allows escalation of privilege and not remote code execution, CVE-2021-3156 could be leveraged by attackers who look to compromise Linux systems and have already managed to get access (e.g., through brute force attacks).