Sudo Vulnerability: Heap Overflow Issue in Baron Samedit Leads to Buffer Corruption in Sudo (2021-3156)
The Qualys Research Team has recently discovered a heap overflow vulnerability in the sudo utility, a widely-used tool available on major Unix-like operating systems. This vulnerability, identified as CVE-2021-3156, could potentially allow any unprivileged user to gain root privileges on a vulnerable host.
Qualys has released the QIDs for this Sudo vulnerability, starting with vulnsigs version VULNSIGS-2.5.90-4 and in Linux Cloud Agent manifest version lx_manifest-2.5.90.4-3. Qualys customers can search the vulnerability knowledgebase for CVE-2021-3156 to identify all the QIDs and assets vulnerable for this vulnerability.
The vulnerability is due to a heap-based buffer overflow in the set_cmnd() function of sudo. It can be exploited by executing "sudoedit -s" and providing a command with a command-line argument that ends with a single backslash character. Successful exploitation of this vulnerability has been independently verified by Qualys security researchers on Ubuntu 20.04, Debian 10, and Fedora 33.
It's important to note that a local user is required to exploit the vulnerability, but the user does not need to be privileged or part of the sudoers list. If a system is patched, it will respond with an error that starts with "usage:". On vulnerable systems, it will respond with an error that starts with "sudoedit:".
The VMDR Dashboard allows real-time tracking of the vulnerability and its impacted hosts, status, and management. The "Baron Samedit | Heap-based buffer overflow Sudo" Dashboard is available for tracking trends in the environment. Qualys recommends users apply patches for this vulnerability immediately.
For non-Qualys customers, a free trial of Qualys VMDR provides full access to the QIDs for CVE-2021-3156, enabling them to identify their vulnerable assets. It's worth mentioning that the heap-based buffer overflow occurs when a command-line argument ends with a single backslash character and is not properly handled in set_cmnd().
As of now, no organizations have officially confirmed that their versions of macOS, AIX, and Solaris are vulnerable to the CVE-2021-3156 security flaw. The vulnerability was introduced in July 2011 (commit 8255ed69). The detection logic between QID 374891 and the rest of the QIDs differs, with QID 374891 attempting to confirm the vulnerability based on output of command, while the rest confirm based on version comparison.
The Baron Samedit dashboard can be viewed and downloaded for a comprehensive understanding of the vulnerability and its impact. Qualys continues to monitor the situation closely and will provide updates as more information becomes available.
Read also:
- Strategies for Poland, Ukraine, and NATO to counteract Russian unmanned aerial vehicles (UAVs)
- Top 15 Pivotal Risks to Mobile Application's Security
- UK manufacturing halt extended to three weeks due to cyber attack at JLR factory
- Revising the title: Redefining "Bring Your Own Device" Policies for a Secure and Flexible Workspace in the Hybrid Work Environment
){kind=link}