Published on January 27, 2021

Summary

Qualys recently discovered a heap-based buffer overflow in the sudo utility, which is in use on almost-all Unix based operating systems.* This vulnerability (CVE-2021-3156) can be exploited by any user, even if they are not in the sudoers file, and has been present since it was introduced in July 2011.

Affected Versions

Any operating system using the following sudo versions are vulnerable:

All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1

This includes most major operating systems such as Ubuntu, RHEL, Debian, Fedora, etc. that have these versions of sudo installed. Qualys was able to develop exploits specifically for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), but any operating system using the vulnerable versions of sudo should be considered vulnerable.

Testing for the Vulnerability

In addition to checking the sudo version, Qualys provided a simple way to test if a system is vulnerable or not. To test on an individual system, perform the following steps:

Login to the system as a non-root user.
Run command sudoedit -s /
If the system is vulnerable, it will respond with an error that starts with sudoedit:
If the system is patched, it will respond with an error that starts with usage:

Remediation

Raxis recommends patching any affected operating system using the vulnerable sudo versions. A list of advisories with links to patches that remediate the vulnerability from various operating system vendors is below:

Ubuntu: https://ubuntu.com/security/notices/USN-4705-1
RHEL: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002
Debian: https://tracker.debian.org/news/1224477/accepted-sudo-1827-1deb10u3-source-into-stable-embargoed-stable/
Fedora: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d33d74b4bf
Arch Linux: https://security.archlinux.org/AVG-1431
Gentoo Linux: https://security.gentoo.org/glsa/202101-33

* https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

Raxis Research Team

The Raxis Research Team is dedicated to staying ahead of the threat landscape. Our experts dig into emerging exploits, uncover hidden vulnerabilities, and develop resources that power our penetration testing engagements. By combining curiosity with technical precision, the team equips Raxis testers with cutting-edge intelligence to simulate real-world attacks and strengthen client defenses.

About The Exploit

The Exploit is written by Raxis penetration testers. Every post is a technical writeup from someone who runs engagements for a living, with code, command output, and the reasoning behind each step. Topics include exploit research, vulnerability disclosure, tool development, and the offensive techniques showing up in current client work.

Search The Exploit Blog

Raxis Discovered Vulnerabilities

View the CVEs and bugs that Raxis pentesters have uncovered and submitted.

Work With the Pentesters Who Wrote This Blog

The engineers behind these posts run real engagements every week. Put them on your network, web apps, APIs, or cloud and see what an attacker would find first.

Request A Quote Schedule Call

Join Our Newsletter

Name(Required)

First Last

Email(Required)

Newsletter(Required)

Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.

Yes! Please send me Popped Culture, the Raxis Newsletter.

Sudo Privilege Escalation Vulnerability Discovered

Penetration Testing Blog