Linux securityJanuary 27, 20210Critical bug in sudo puts Linux and Unix systems at risk

Any logged-in unprivileged user can abuse an old bug in sudo to gain root privileges. It was rated as an important security issue for Linux and Unix-like operating systems. The Qualys research team has discovered the heap overflow vulnerability in sudo itself has been hiding in plain sight for nearly 10 years. The bug allows any local users to gain root access without authentication (no user’s password needed). We need to apply patches to our operating systems as soon as possible.

System administrators use the sudo command to grant specific user rights, such as restarting Nginx or restart Apache server for server management purposes. IT automation tools such as Ansible and others use sudo heavily too.

Critical bug in sudo puts Linux and Unix systems at risk

We have two critical sudo vulnerabilities:

It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account. (CVE-2021-3156)
It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not. (CVE-2021-23239)

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

From the blog post:

Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.

Mitigation

The problem can be corrected by updating your system to the following package versions.

Ubuntu and Debian Linux

You need to apply patched on Ubuntu version 16.04/18.04/20.04 LTS and 20.10 using the apt command/apt-get command:

sudo apt update
sudo apt upgrade
or just install sudo upgrade ##
sudo apt install sudo
sudo –version

For the stable Debian distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u3. Hence run above commands on Debian too.

Arch Linux

Open the terminal app and then run the following pacman command:

sudo pacman -Syu

Red Hat Enterprise Linux 8.x/7.x and CentOS and Fedora Linux

Type dnf command or yum command to fix bug on RHEL 7.x/8.x and Fedora Linux:

sudo dnf update

Suse and OpenSUSE Linux

SUSE enterprise Linux version 12.x and 15.x are affected too. For example we can use the zypper command:

sudo zypper lp -a | grep -i sudo
sudo zypper up

FreeBSD

I have not tested this, but you need to update FreeBSD port or pkg by running the following pkg command:

sudo pkg update
sudo pkg upgrade

macOS

We have to wait for Apple to release an update.

Summing up

All of these are old buffer overflown bugs in sudo that any local user can exploit without a password or authentication. Hence, you must apply fixes to get rid of a critical bug in sudo. I am going to look into the doas utility, which is the default on OpenBSD. Of course, we can install doas from ports on NetBSD or FreeBSD. There is a Linux port too.

Source : cyberciti.biz