Privilege elevation vulnerability in 'sudo' command, list of correspondence of each distribution
sudo ' that allows a user to execute a program with the privileges of another user, allowing the acquisition of privileges without a password. This vulnerability has existed since July 2011, and each Linux distribution has announced a fix.
A vulnerability was found in the command '
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog
Buffer overflow in command line unescaping
Alert regarding sudo vulnerability (CVE-2021-3156)
New Linux SUDO flaw lets local users gain root privileges
The 'sudo' command is used when you want to temporarily execute a program with privileges, and you can handle privileges with limited privileges without logging in as the root user. Qualys , a cloud security service provider, discovered that sudo had been vulnerable to privilege escalation due to a heap-based buffer overflow since July 2011, about 10 years ago, and named it 'Baron Samedit'.
The vulnerability existed in 'set_cmnd ()' that escapes command arguments. The following is a partial excerpt of the code for set_cmnd (), where 'from' is the variable where the arguments are stored and 'to' is the heap-based buffer.
null-terminated string will be stored in the buffer as the next character. In addition, there was a vulnerability in which by incrementing from when storing in the buffer would result in a memory reference next to the null-terminated string, that is, outside the range of the argument.
The processing of this while statement is 'If the character stored in the address pointed to by the from pointer is a backslash and the character stored in the next address is not a space, that character is stored in the buffer'. This is a description for processing backslash-escaped arguments, but if you enter only a backslash in the argument, the
Escape processing by set_cmnd () is executed only when 'MODE_SHELL' is specified in the flag 'valid_flags', and 'MODE_SHELL' is not included when the option is specified by the normal sudo command. The initialization was done.
However, the sudoedit command did not perform this initialization process, and valid_flags specified 'DEFAULT_VALID_FLAGS' including MODE_SHELL. Therefore, it was possible to cause a buffer overflow via sudoedit.
Qualys has also released a movie that actually gains privileges by exploiting this vulnerability. Since the attacking code itself is private, the content of the process is unknown, but you can see how the privilege is actually acquired.
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) on Vimeo
To check whether the OS you are using is affected by the vulnerability, execute 'sudoedit -s /', and if 'not a regular file' is displayed, correct it, 'usage: sudoedit ..... If '.' Is displayed, it has been corrected.
This vulnerability has been numbered as ' CVE-2021-3156 ', and the support status of major Linux distributions is as follows.
-Ubuntu: Fixed package distributed after 14.04 ESM
CVE-2021-3156 | Ubuntu
-Debian: Fixed package distributed after Stretch
-RHEL: RHEL 5 has no effect, and modified packages have been distributed since RHEL 6
CVE-2021-3156- Red Hat Customer Portal
-Fedora: Fixed package distributed in 32 and 33
[SECURITY] Fedora 33 Update: sudo-1.9.5p2-1.fc33 --package-announce --Fedora Mailing-Lists
[SECURITY] Fedora 32 Update: sudo-1.9.5p2-1.fc32 --package-announce --Fedora Mailing-Lists
Gentoo: Fixed package distributed
sudo: Multiple vulnerabilities (GLSA 202101-33) — Gentoo security
-Amazon Linux: Fixed package distributed
Sudo Security Issue
-Cisco: Affects multiple network devices, patch has been distributed
Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021
For OSs other than the above, such as macOS and Solaris, the latest version of the fix package is distributed from the official sudo website.