In a recent disclosure, Quays provides technical details about a heap buffer-overflow vulnerability in the “sudo” utility that Unix and Linux system administrators use to perform administrative actions safely, without remaining logged in to the “root” user account constantly to perform other tasks. The bug, tracked as CVE-2021-3156, allows low privilege users who are not supposed to be authorized to abuse the sudo utility to gain root privileges. Because of the nature of how sudo works, this can be a costly vulnerability as having access to sudo usually means access to root privileges and being able to completely take over the system. The bug works by inconsistency in reading escaped characters in shell mode, but further details can be found in Quays’ technical report and a summary by the sudo maintainers.
Analyst Notes
This bug has severe consequences for an attacker that has a foothold as a low privilege user, or a malicious insider threat to gain higher privileges. With that in mind, there currently no known cases where the vulnerability is being exploited in the wild. As of the time of writing, there is no Proof of Concept (PoC) exploits beyond the demonstration provided by Qualys. It is highly recommended to update to version 1.9.5p2 and using sudo -V to verify across any Linux or other Unix-like systems.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
https://www.sudo.ws/alerts/unescape_overflow.html
https://www.zdnet.com/article/10-years-old-sudo-bug-lets-linux-users-gain-root-level-access/
