A now-fixed Sudo vulnerability allowed any local user to gain root privileges on Unix-like operating systems without requiring authentication.
Sudo is a Unix program that enables system admins to provide limited root privileges to normal users listed in the sudoers file, while at the same time keeping a log of their activity.
It works on the Principle of Least Privilege where the program gives people just enough permissions to get their work done without compromising the system’s overall security.
When executing commands on a Unix-like OS, unprivileged users can use the sudo (superuser do) command to execute commands as root if they have permission or know the root user’s password – root is the system’s superuser, a special system administration account.
Sudo can also be configured to permit normal users to run commands as any other user by including special directives to the sudoers configuration file.
Root privileges for any local user
The Sudo privilege escalation vulnerability tracked as CVE-2021-3156 (aka Baron Samedit) was discovered by security researchers from Qualys, who disclosed it on January 13th and made sure that patches are available before going public with their findings.
According to Qualys researchers, the issue is a heap-based buffer overflow exploitable by any local user (normal users and system users, listed in the sudoers file or not), with attackers not being required to know the user’s password to successfully exploit the flaw.
The buffer overflow allowing any local user to obtain root privileges is triggered by Sudo incorrectly unescaping backslashes in the arguments.
“Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i),” the 1.9.5p2 changelog reads.
“However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible.”
Qualys created three CVE-2021-3156 exploits to showcase how this vulnerability can be successfully abused by potential attackers.
Using these exploits, the researchers were able to obtain full root privileges on multiple Linux distributions, including Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2).
Other operating systems and distributions supported by Sudo are probably also exploitable using CVE-2021-3156 exploits according to Qualys.
Further technical details on how CVE-2021-3156 can be exploited are available in Qualys’ CVE-2021-3156 security advisory published on Tuesday.
A video demo of how the critical CVE-2021-3156 vulnerability can be exploited is embedded below.
Baron Samedit flaw fixed before disclosure
The vulnerability was introduced in the Sudo program almost 9 years ago, in July 2011, with commit 8255ed69, and it affects default configurations of all stable versions from 1.9.0 to 1.9.5p1 and all legacy versions from 1.8.2 to 1.8.31p2.
The Sudo contributors have fixed the vulnerability in the sudo 1.9.5p2 version released earlier today, at the same time Qualys publicly disclosed their findings.
To test if your system is vulnerable, you have to login as a non-root user and run the “sudoedit -s /” command. Vulnerable systems will throw an error starting with “sudoedit:” while patched ones will display an error starting with “usage:” .
System admins who use Sudo to delegate root privileges to their users should immediately upgrade to sudo 1.9.5p2 or later as soon as possible.
In 2019, another Sudo vulnerability — tracked as CVE-2019-14287 — allowed unprivileged users to execute commands as root.
Luckily, that flaw could only be exploited in non-standard configurations, which meant that most systems running vulnerable Sudo versions were unaffected.