Notice on the Sudo Buffer Vulnerability (CVE-2021-3156)

Description

A security team disclosed the heap-based buffer overflow vulnerability in sudo (CVE-2021-3156), a near-ubiquitous utility available on major Unix-like operating systems. All legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 are affected. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.

sudo is a powerful utility included in most if not all Unix- and Linux-based OSs. It allows users to run programs with the security privileges of another user.

Impact

• All legacy versions from 1.8.2 to 1.8.31p2 (default configuration)
• All stable versions from 1.9.0 to 1.9.5p1 (default configuration)

Identification Method

1. Log in to the system as a non-root user.
2. Run the sudoedit -s / command to scan the vulnerability.
   • If the system is vulnerable, it will respond with an error that starts with sudoedit:.
   • If the system is patched, it will respond with an error that starts with usage:.

Solution

Upgrade sudo to a secure version and perform a self-check before the upgrade.

• For CentOS: upgrade to sudo 1.9.5p2 or later

  For more versions of sudo, see https://www.sudo.ws/download.html.

• For EulerOS: obtain the sudo patch package
  • EulerOS 2.2: https://mirrors.huaweicloud.com/euler/2.2/os/x86_64/updates/sudo-1.8.6p7-23.h9.x86_64.rpm
  • EulerOS 2.5: https://mirrors.huaweicloud.com/euler/2.5/os/x86_64/updates/sudo-1.8.19p2-14.h9.eulerosv2r7.x86_64.rpm
  • EulerOS 2.8: https://mirrors.huaweicloud.com/euler/2.8/os/aarch64/updates/sudo-1.8.23-3.h18.eulerosv2r8.aarch64.rpm

Helpful Links

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit