This article is more than 1 year old
Decade-old bug in Linux world's sudo can be abused by any logged-in user to gain root privileges
Sudo, make me a heap overflow! Done, this system is now yours
Security researchers from Qualys have identified a critical heap buffer overflow vulnerability in sudo that can be exploited by rogue users to take over the host system.
Sudo is an open-source command-line utility widely used on Linux and other Unix-flavored operating systems. It is designed to give selected, trusted users administrative control when needed.
The bug (CVE-2021-3156) found by Qualys, though, allows any local user to gain root-level access on a vulnerable host in its default configuration. Qualys is disclosing its findings in a coordinated release with operating systems vendors, and has bestowed the errant code with the memorable name Baron_Samedit.
The following versions of sudo are affected: 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. Qualys developed exploits for several Linux distributions, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), and the security biz believes other distributions are vulnerable, too.
Oh ****... Sudo has a 'make anyone root' bug that needs to be patched – if you're unlucky enough to enable pwfeedbackREAD MORE
In their write-up, Qualys researchers explain, "
set_cmnd() is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the 'user_args' buffer were not included in its size."
The report also documents how they were able to defeat the ASLR defense mechanism intended to thwart these sorts of exploits.
In a statement, Mehul Revankar, VP of product management and engineering at Qualys, said the vulnerability "is perhaps the most significant sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years."
The bug was introduced in July 2011 (commit 8255ed69) and has persisted unfixed until now.
Noting that sudo is nearly ubiquitous and is available by default in most Linux systems, Revankar said there are likely to be millions of vulnerable systems that need to be patched. ®