Qualys recently discovered a heap-based buffer overflow in the sudo utility, which is in use on almost-all Unix based operating systems.* This vulnerability (CVE-2021-3156) can be exploited by any user, even if they are not in the sudoers file, and has been present since it was introduced in July 2011.
Any operating system using the following sudo versions are vulnerable:
- All legacy versions from 1.8.2 to 1.8.31p2
- All stable versions from 1.9.0 to 1.9.5p1
This includes most major operating systems such as Ubuntu, RHEL, Debian, Fedora, etc. that have these versions of sudo installed. Qualys was able to develop exploits specifically for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), but any operating system using the vulnerable versions of sudo should be considered vulnerable.
Testing for the Vulnerability
In addition to checking the sudo version, Qualys provided a simple way to test if a system is vulnerable or not. To test on an individual system, perform the following steps:
- Login to the system as a non-root user.
- Run command sudoedit -s /
- If the system is vulnerable, it will respond with an error that starts with sudoedit:
- If the system is patched, it will respond with an error that starts with usage:
Raxis recommends patching any affected operating system using the vulnerable sudo versions. A list of advisories with links to patches that remediate the vulnerability from various operating system vendors is below:
- Ubuntu: https://ubuntu.com/security/notices/USN-4705-1
- RHEL: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002
- Debian: https://tracker.debian.org/news/1224477/accepted-sudo-1827-1deb10u3-source-into-stable-embargoed-stable/
- Fedora: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d33d74b4bf
- Arch Linux: https://security.archlinux.org/AVG-1431
- Gentoo Linux: https://security.gentoo.org/glsa/202101-33