Linux Sudo Package Elevation of Privilege Vulnerability- CVE-2021-3156

Linux Sudo Package Elevation of Privilege Vulnerability- CVE-2021-3156

Advisory No: TZCERT/SA/2021/02/03

Date of First Release: 03^rd February 2021

Source: Sudo

Software Affected: 

Sudo versions 1.8.2 through 1.8.31p2 & 1.9.0 through 1.9.5p1

Overview:

A heap overflow vulnerability exists in sudo, a utility available in Unix operating systems. Successful exploitation of this vulnerability may allow an unprivileged user to gain root privileges, even though the user is not listed in the sudoers file.

Description:

The vulnerability is in the code that removes the escape characters, will read beyond the last character of a string if it ends with an unescaped backslash character. When sudo runs a command in shell mode, with -s or -i options, it escapes special characters in the command’s arguments with a backslash.

The attacker can use this bug to control the “user_args” size and cause a buffer overflow.

Impact:

Successful exploitation of the vulnerability could allow an unprivileged user to gain root privileges to the host system.

Solution:

There is no workaround for this vulnerability; however, users are advised to patch sudo to the latest stable version.

• To test whether your version of sudo is vulnerable.

Type the following command; Sudoedit -s /

A vulnerable version of sudo will either prompt for a password or display an error similar to sudoedit: /: not a regular file

A patched version of sudo will display a statement like the following:

usage: sudoedit [-AknS] [-a type] [-C num] [-c class] [-D directory] [-g group]

                [-h host] [-p prompt] [-R directory] [-T timeout] [-u user]

                file …

References:

1. https://www.sudo.ws/alerts/unescape_overflow.html 
2. https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit