Notice on the Sudo Buffer Vulnerability (CVE-2021-3156)
Description
A security team disclosed the heap-based buffer overflow vulnerability in sudo (CVE-2021-3156), a near-ubiquitous utility available on major Unix-like operating systems. All legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 are affected. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.
sudo is a powerful utility included in most if not all Unix- and Linux-based OSs. It allows users to run programs with the security privileges of another user.
|
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
|
Privilege escalation |
High |
2021-01-26 |
Impact
- All legacy versions from 1.8.2 to 1.8.31p2 (default configuration)
- All stable versions from 1.9.0 to 1.9.5p1 (default configuration)
Identification Method
- Log in to the system as a non-root user.
- Run the sudoedit -s / command to scan the vulnerability.
- If the system is vulnerable, it will respond with an error that starts with sudoedit:.
- If the system is patched, it will respond with an error that starts with usage:.
Solution
Upgrade sudo to a secure version and perform a self-check before the upgrade.
- For CentOS: upgrade to sudo 1.9.5p2 or later
For more versions of sudo, see https://www.sudo.ws/download.html.
- For EulerOS: obtain the sudo patch package
- EulerOS 2.2: https://mirrors.huaweicloud.com/euler/2.2/os/x86_64/updates/sudo-1.8.6p7-23.h9.x86_64.rpm
- EulerOS 2.5: https://mirrors.huaweicloud.com/euler/2.5/os/x86_64/updates/sudo-1.8.19p2-14.h9.eulerosv2r7.x86_64.rpm
- EulerOS 2.8: https://mirrors.huaweicloud.com/euler/2.8/os/aarch64/updates/sudo-1.8.23-3.h18.eulerosv2r8.aarch64.rpm
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
