[Security] sudo - Privilege escalation via command line argument parsing - (CVE-2021-3156)

[ccto]

A flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user (normal users and system users, sudoers and non-sudoers), without authentication (i.e., the attacker does not need to know the user's password). Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

ref.:

cve-details

RHSB-2021-002 Privilege escalation via command line argument parsing - sudo - (CVE-2021-3156) | Red Hat Customer Portal

Access Red Hat’s knowledge, guidance, and support through your subscription.

access.redhat.com

 

[ikkeben]

Ok now it is out some Admins have te react more fast i guess.

Buffer overflow in command line unescaping

A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is...

www.sudo.ws

Sudo versions affected:​

Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected.

CVE - CVE-2021-3156

Alert Regarding Vulnerability (CVE-2021-3156) in sudo

www.jpcert.or.jp

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog

Update Feb 3, 2021: It has been reported that macOS, AIX, and Solaris are also vulnerable to CVE-2021-3156, and that others may also still be vulnerable. Qualys has not independently verified the…

blog.qualys.com

 

[Erulezz]

Not seeing it yet on CentOS8.....

 

[factor]

What is sudo?

VuXML: sudo -- Potential information leak in sudoedit

Its fixed in ports on FreeBSD still waiting on the pkg.

 

[ikkeben]

Not seeing it yet on CentOS8.....

Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected.

 

[factor]

Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected.

I think he means the fix isn't out yet?

 

[Erulezz]

Patches are now also available on CentOS8 since a few hours

 

[sysdev]

In case you have no update available or your os is a bit older:

# yum -y install git
# cd /opt
# git clone https://github.com/sudo-project/sudo.git
# cd sudo
# ./configure --prefix=/usr
# make
# make install

test with:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

A 'usage' message is ok, a segmentation error = vulnerable.

 

[Aar]

I see this: -bash: sudo: command not found

I have CentOS 7 and it looks like i've not installed sudo?
And i see also no sudo updatepackage with yum check-update

Normally, i can use su to elevate to root.

Can someone explain this?

​

 

[sysdev]

I see this: -bash: sudo: command not found

I have CentOS 7 and it looks like i've not installed sudo?
And i see also no sudo updatepackage with yum check-update

Normally, i can use su to elevate to root.

Can someone explain this?

sudo en su are different tools. 'su' is simply to switch between users and 'sudo' is to execute a command as a different user.

 

[Aar]

@sysdev So I can assume that I don't have sudo installed, so I don't need to take any action on it?

 

[factor]

sudo is not installed by default on CentOS 7 and maybe 8. So yes you may never have used it or installed it.

 

[sysdev]

@sysdev So I can assume that I don't have sudo installed, so I don't need to take any action on it?

Well, never assume anything. But it's your own server so you should know it best

 

[factor]

Its fixed in ports on FreeBSD still waiting on the pkg.

Its all fixed in pkg now on FreeBSD

 

[Aar]

Well, never assume anything. But it's your own server so you should know it best

True, for a while I was under the impression that it would also be standard in CentOS 7.
But that is not the case. As far as I know it was in CentOS 6.

It's clear for me now.