Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on the Sudo Buffer Vulnerability (CVE-2021-3156)
Updated on 2023-08-02 GMT+08:00

Notice on the Sudo Buffer Vulnerability (CVE-2021-3156)

Description

A security team disclosed the heap-based buffer overflow vulnerability in sudo (CVE-2021-3156), a near-ubiquitous utility available on major Unix-like operating systems. All legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 are affected. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.

sudo is a powerful utility included in most if not all Unix- and Linux-based OSs. It allows users to run programs with the security privileges of another user.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Privilege escalation

CVE-2021-3156

High

2021-01-26

Impact

  • All legacy versions from 1.8.2 to 1.8.31p2 (default configuration)
  • All stable versions from 1.9.0 to 1.9.5p1 (default configuration)

Identification Method

  1. Log in to the system as a non-root user.
  2. Run the sudoedit -s / command to scan the vulnerability.
    • If the system is vulnerable, it will respond with an error that starts with sudoedit:.
    • If the system is patched, it will respond with an error that starts with usage:.

Solution

Upgrade sudo to a secure version and perform a self-check before the upgrade.