Language Selection

English French German Italian Portuguese Spanish

Another Sudo Root Privilege Escalation Vulnerability Got Patched, Update Now

Filed under
Security

Sudo 1.9.5p2 was released today and it addresses two security issues. The first, CVE-2021-3156 (a.k.a. Baron Samedit), was discovered by Qualys Research Labs and could allow local users (sudoers and non-sudoers) to obtain unintended access to the root (system administrator) account.

In addition, the new release patches CVE-2021-23239, a vulnerability discovered in Sudo’s sudoedit utility, which could allow a local attacker to bypass file permissions and determine if a directory exists or not. This security flaw affected Sudo versions before 1.9.5.

Read more

BleepingComputer

Anti-Linux writers rejoice

The original

  • CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.

Sudo vulnerability allows attackers to gain root privileges...

3 More

  • 10-year-old Sudo Bug Lets Linux Users Gain Root-Level Access
  • Sudo Flaw Gives Linux Users Root Access | Decipher

    Researchers from Qualys uncovered a major vulnerability in an application that allows administrators to delegate limited root access to regular users. While most major Linux distributions have released fixed versions of sudo, administrators still have to verify their systems are protected. Some of the smaller distributions may not yet have incorporated the fix.

    The vulnerability allows a regular user on a system to gain root access, even if the account is not listed as one of the authorized accounts in the /etc/sudoers configuration file. The regular user account also does not need to know the password in order to exploit the vulnerability. Qualys said the flaw impacts all Sudo installs using the sudoers file—which is the case for many Linux systems. Researchers have developed exploit variants for Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2). Qualys coordinated the release of Sudo v 1.9.5p2 to fix the flaw, CVE-2021-3156 (Baron Samedit).

  • Serious 10-year-old flaw in Linux sudo command; a new version patches it | Network World

    Linux users should immediately patch a serious vulnerability to the sudo command that, if exploited, can allow unprivileged users gain root privileges on the host machine.

    Called Baron Samedit, the flaw has been “hiding in plain sight” for about 10 years, and was discovered earlier this month by researchers at Qualys and reported to sudo developers, who came up with patches Jan. 19, according to a Qualys blog. (The blog includes a video of the flaw being exploited.)

Critical Vulnerability Patched in 'sudo' Utility...

PSA: If your PC runs Linux, you should update Sudo now

  • PSA: If your PC runs Linux, you should update Sudo now

    Despite the fact that tens of thousands of contributors actively pore over the source code of the Linux kernel and various Unix utilities looking for security flaws, it’s not unheard of for serious bugs to go unnoticed. Just a day ago, the folks over at Qualys revealed a new heap-based buffer overflow attack vector that targets the “Sudo” program to gain root access. The bug this time seems to be quite serious, and the bug has existed within the codebase for almost 10 years! Although the privilege escalation vulnerability has already been patched, it could potentially be exploited on nearly every Linux distribution and several Unix-like operating systems.

An unpleasant sudo vulnerability

  • An unpleasant sudo vulnerability

    It would appear that "sudo" has a buffer-overflow vulnerability that allows any local user to gain root privileges, whether or not they are in the sudoers file. It has been there since 2011. See this advisory for details, but perhaps run an update first.

Sudo Bug Gives Root Access to Mass Numbers of Linux Systems

  • Sudo Bug Gives Root Access to Mass Numbers of Linux Systems

    Qualys said the vuln gives any local user root access to systems running the most popular version of Sudo.

    A doozy of a bug that could allow any local user on most Linux or Unix systems to gain root access has been uncovered — and it had been sitting there for a decade, researchers said.

    The bug was found in Sudo, a utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Qualys researchers named the vulnerability “Baron Samedit,” tracked as CVE-2021-3156. They said the bug popped into the Sudo code back in July 2011.

    [...]

    Here’s how the vuln works: Specifically, the bug is a heap-based buffer overflow in Sudo, which lets any local user trick it into running in “shell” mode.

    Sudo authors explained in a Tuesday advisory that when Sudo is running in shell mode, “it escapes special characters in the command’s arguments with a backslash.” Then, a policy plug-in removes any escape characters before deciding on the Sudo user’s permissions.

    But it’s not just a single bug which exposed these systems, it’s actually the combination of two bugs working in tandem in Sudo that makes the exploitation possible, the authors explained.

    “A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character,” the Sudo authors explained. “Under normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command’s arguments.”

Decade-old vulnerability is still affecting most Linux distro

  • Decade-old vulnerability is still affecting most Linux distros

    Security researchers at Qualys discovered a privilege escalation vulnerability in one of the core utilities present in all Unix-like operating systems including Linux.

    If exploited, the heap overflow vulnerability in the Sudo utility could allow any unprivileged user to gain root privileges.

    The vulnerability, which has now been patched, has existed for almost a decade, according to a blog post by Animesh Jain, a Vulnerability Signatures Product Manager at Qualys.

Cyber Command, NSA warn to patch decade-old sudo vulnerability

  • Cyber Command, NSA warn to patch decade-old sudo vulnerability

    U.S. intelligence officials are urging Amrican companies and security workers to fix a software flaw that, if exploited, would give attackers deep access to a victim machine.

    The vulnerability, which now has a patch, would have allowed unauthorized users to gain what’s known as root privileges on vulnerable hosts as early as 2011 when the flaw was introduced, researchers at the security firm Qualys found. Root access would enable hackers to obtain administrative privileges over a machine, and quietly collect sensitive information.

    The vulnerability has existed for 10 years in sudo, a common tool found on nearly all Unix and Linux-based operating systems that generally allows system administrators to give some approved users root privileges.

    The flaw affects legacy versions from 1.8.2 to 1.8.31p2 and all default versions from 1.9.0 to 1.9.5p1, according to Qualys.

‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug

  • ‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug grants Linux root access

    Cybersecurity researchers and the U.S. Cyber Command are warning users about a decade-old buffer overflow bug in sudo that can grant root access to malicious users with low level access to systems.

    The vulnerability, discovered by Qualys and nicknamed “Baron Samedit,” affects all versions of Linux Qualys has tested against. The glitch allows users, even those off of sudoers list, to gain root access. It has been patched in the latest release of sudo.

    “Any user – even the lowest of the low privileged – can access root,” said Mehul Revankar, vice president of product management and engineering at Qualys.

    Though other Sudo vulnerabilities have been found in the past, it’s rare that a bug affects any account, rather than accounts meeting specific conditions.

    “We expect millions of systems to be affected,” said Revankar.

Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux...

  • Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux Gives Attackers Free Root-Level Access

    A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users.

    As reported by ZDNet, a major vulnerability was discovered two weeks ago that impacts the Linux ecosystem tremendously. Today, the problem has been patched by an app called Sudo which permits admins in Linux to consign limited root access for other users. It was fixed with the release of the Sudo v1.9.5p2.

    [...]

    Thankfully, Sudo has already fixed this problem for the Linux ecosystem. It can be found in sudo 1.9.5p2. Sudo added that if users want to check if their version of Sudo is vulnerable, they can key in the following commands to check:

    sudoedit -s '\' 'perl -e 'print "A" x 65536''

    Ideally, you should receive a usage or error message. This indicated that your version of Sudo is not vulnerable. On the other hand, if the result that arises is a Segmentation for, then you can expect that your Sudo version is indeed vulnerable.

    Sudo's update should be applied as early as possible to prevent malicious acts by attackers. If you need to know more technical information about checking your Sudo status, you can check The Qualys advisory.

Three more pieces

  • Bug in Linux sudo command could give any user root access

    Researchers from Qualys have disclosed a vulnerability in the sudo utility that could be exploited to grant system administrator privileges to any user that is logged into a system.

    Dubbed Baron Samedit (CVE-2021-3156), Qualys recommended that users apply patches for the vulnerability immediately.

    The developers of sudo were informed about the security flaw on 13 January and the bug was patched on 19 January — a week before it was publicly disclosed.

    Sudo is a widely used program in Unix-like operating systems. Qualys confirmed that the Baron Samedit bug was present in Linux distributions such as Ubuntu, Debian, and Fedora.

  • Weekly threat roundup: Apple, SonicWall, Linux Sudo

    A significant vulnerability in the Linux Sudo command could inadvertently grant unauthorised users root access to a system, even if the account isn’t listed as an authorised account.

    Sudo allows administrators to delegate limited root access to regular users, but the vulnerability tagged CVE-2021-3156 can be exploited by an unprivileged user to gain root privileges on a vulnerable host.

    The flaw has been hiding in plain sight for nearly a decade having been introduced in July 2011, according to Qualys security researchers. Multiple versions of Sudo are therefore likely to be affected, including legacy versions 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1.

  • Decade-Old Sudo Flaw Discovered

    A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.

    Sudo is the venerable tool that allows standard users to run admin tasks on Linux distributions. Without sudo, users would have to log into the system as the root user (or change to the root user with the su command), in order to run admin commands. Seeing as how that is looked upon as a security risk, sudo has become a required tool for many Linux admins and users.

    However, it has been discovered (by researchers at Qualys) that, for nearly a decade, sudo contained a heap-based buffer overflow vulnerability. This bug could allow any unprivileged user to gain root privileges using the default sudo configuration.

Sudo Vulnerability Discovered

Researchers: Beware of 10-Year-Old Linux Vulnerability

  • Researchers: Beware of 10-Year-Old Linux Vulnerability

    The vulnerability, called "Baron Samedit" by the researchers and officially tracked as CVE-2021-3156, is a heap-based buffer overflow in the Sudo utility, which is found in most Unix and Linux operating systems.

    Sudo is a utility included in open-source operating systems that enables users to run programs with the security privileges of another user, which would them give them administrative – or superuser - privileges.

    The bug, which appears to have been added into the Sudo source code in July 2011, was not detected until earlier this month, Qualys says.

    "Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploits and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable," the researchers say.

This Week In Security: Sudo, Database Breaches, And Ransomware

  • This Week In Security: Sudo, Database Breaches, And Ransomware

    Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

    sudoedit -s '\' `perl -e 'print "A" x 65536'`

Linux sudo exploit gives root access

  • Linux sudo exploit gives root access

    Researchers have found a buffer overflow vulnerability in the Linux sudo program that means an ordinary user could give themselves root privileges.

    The Sudo command lets users act at higher security privilege levels – either as a superuser or some other user profile – so they can perform certain tasks without having full root access.

"Linux Flaw"

  • The Linux Flaw you can't afford to Ignore (CVE-2021-3156) [Ed: It is not a "Linux flaw" but a sudo flaw and it affects systems that are not Linux]

    Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Stunning GNOME 40 Beta is Ready. Download and Test Now!

The GNOME team announced the availability of the official GNOME 40 Beta images in an email announcement. You can download and try the images now to experience the design overhaul. Read more

Can Linux Run Video Games?

Linux is a widely used and popular open source operating system that was first released back in 1991. It differs from operating systems like Windows and macOS in that it is open source and it is highly customizable through its use of “distributions”. Distributions or “distros” are basically different versions of Linux that can be installed along with the Linux core software so that users can customize their system to fit their specific need. Some of the more popular Linux distributions are Ubuntu, Debian and Fedora. For many years Linux had the reputation of being a terrible gaming platform and it was believed that users wouldn’t be able to engage in this popular form of entertainment. The main reason for this is that commercially successful games just weren’t being developed for Linux. A few well known video game titles like Doom, Quake and SimCity made it to Linux but for the most part they were overlooked through the 1990’s. However, things have changed a lot since then and there is an every expanding library of popular video games you can play on Linux. [...] There are plenty of Windows games you can run on Linux and no reason why you can’t play as well as you do when using Windows. If you are having trouble leveling up or winning the best loot, consider trying AskBoosters for help with your game. Aside from native Linux games and Windows games there are a huge amount of browser based games that work on any system including Linux. Read more

Security: DFI and Canonical, IBM/Red Hat/CentOS and Oracle, Malware in GitHub

  • DFI and Canonical offer risk-free system updates and reduced software lead times for the IoT ecosystem

    DFI and Canonical signed the Ubuntu IoT Hardware Certification Partner Program. DFI is the world’s first industrial computer manufacturer to join the program aimed at offering Ubuntu-certified IoT hardware ready for the over-the-air software update. The online update mechanism of and the authorized DFI online application store combines with DFI’s products’ application flexibility, to reduce software and hardware development time to deploy new services. DFI’s RemoGuard IoT solution will provide real-time monitoring and partition-level system recovery through out-of-band management technology. In addition to the Ubuntu online software update, RemoGuard avoids service interruption, reduces maintenance personnel costs, and response time to establish a seamless IoT ecosystem. From the booming 5G mobile network to industrial robot applications, a large number of small base stations, edge computing servers, and robots will be deployed in outdoor or harsh industrial environments. Ubuntu Core on DFI certified hardware and Remoguard brings the reassurance that no software update will bring risks and challenges of on-site repair.

  • Update CentOS Linux for free

    As you may know, in December 2020 IBM/Red Hat announced that CentOS Linux 8 will end in December 2021. Additionally, the updates for CentOS Linux 6 ended on November 30, 2020. If your organization relies on CentOS, you are faced with finding an alternative OS. The lack of regular updates puts these systems at increasing risk for major vulnerabilities with every passing day. A popular solution with minimal disruption is to simply point your CentOS systems to receive updates from Oracle Linux. This can be done anonymously and at no charge to your organization. With Oracle Linux, you can continue to benefit from a similar, stable CentOS alternative. Oracle Linux updates and errata are freely available and can be applied to CentOS or Red Hat Enterprise Linux (RHEL) instances without reinstalling the operating system. Just connect to the Oracle Linux yum server, and follow these instructions. Best of all, your apps continue to run as usual.

  • Malware in open-source web extensions

    Since the original creator has exclusive control over the account for the distribution channel (which is typically the user's only gateway to the program), it logically follows that they are responsible for transferring control to future maintainers, despite the fact that they may only have the copyright on a portion of the software. Additionally, as the distribution-channel account is the property of the project owner, they can sell that account and the accompanying maintainership. After all, while the code of the extension might be owned by its larger community, the distributing account certainly isn't. Such is what occurred for The Great Suspender, which was a Chrome extension on the Web Store that suspends inactive tabs, halting their scripts and releasing most of the resources from memory. In June 2020, Dean Oemcke, the creator and longtime maintainer, decided to move on from the project. He transferred the GitHub repository and the Web Store rights, announcing the change in a GitHub issue that said nothing about the identity of the new maintainer. The announcement even made a concerning mention of a purchase, which raises the question of who would pay money for a free extension, and why. Of course, as the vast majority of the users of The Great Suspender were not interested in its open-source nature, few of them noticed until October, when the new maintainer made a perfectly ordinary release on the Chrome Web Store. Well, perfectly ordinary except for the minor details that the release did not match the contents of the Git repository, was not tagged on GitHub, and lacked a changelog.

What goes into default Debian?

The venerable locate file-finding utility has long been available for Linux systems, though its origins are in the BSD world. It is a generally useful tool, but does have a cost beyond just the disk space it occupies in the filesystem; there is a periodic daemon program (updatedb) that runs to keep the file-name database up to date. As a recent debian-devel discussion shows, though, people have differing ideas of just how important the tool is—and whether it should be part of the default installation of Debian. There are several variants of locate floating around at this point. The original is described in a ;login: article from 1983; a descendant of that code lives on in the GNU Find Utilities alongside find and xargs. After that came Secure Locate (slocate), which checks permissions to only show file names that users have access to, and its functional successor, mlocate, which does the same check but also merges new changes into the existing database, rather than recreating it, for efficiency and filesystem-cache preservation. On many Linux distributions these days, mlocate is the locate of choice. Read more