Bug in Linux sudo command could give any user root access
Researchers from Qualys have disclosed a vulnerability in the sudo
utility that could be exploited to grant system administrator privileges to any user that is logged into a system.
Dubbed Baron Samedit (CVE-2021-3156), Qualys recommended that users apply patches for the vulnerability immediately.
The developers of sudo
were informed about the security flaw on 13 January and the bug was patched on 19 January — a week before it was publicly disclosed.
Sudo is a widely used program in Unix-like operating systems. Qualys confirmed that the Baron Samedit bug was present in Linux distributions such as Ubuntu, Debian, and Fedora.
“Other operating systems and distributions are also likely to be exploitable,” Qualys stated.
The sudo
utility is intended to allow you to run programs as a different user, especially the “super user” or root account, without actually logging in as that user.
It is considered safer to use sudo
than to allow users to log in as root. Among other things, this guards against users inadvertently running rogue programs with full super user privileges.
The vulnerability in sudo
was a heap-based buffer overflow that could be exploited by any local user account.
“Normally, sudo escapes special characters when running a command via a shell (sudo -s
or sudo -i
). However, it was also possible to run sudoedit
with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible,” the patch notes stated.
An attacker does not need to know or crack the user’s password to exploit this vulnerability. The user account from which the exploit code is executed also does not need to listed in the “sudoers” file.
“Sudoers” is a special configuration file in which system administrators can set which programs any given user may run as root (or another user). If a user account is not listed in this file, they should essentially not be able to use sudo
.
The Baron Samedit bug was introduced on 29 July 2011 (commit 8255ed69). Qualys noted that it affected all legacy versions of the program from versions 1.8.2 to 1.8.31p2, and all stable versions from versions 1.9.0 to 1.9.5p1 in their default configuration.
To check whether your system is vulnerable to the bug, Qualys said that you can run the following command:
sudoedit -s /
If the system is vulnerable, it will respond with an error that starts with “sudoedit:”
If the system is patched, it will respond with an error that starts with “usage:”