According to the official description, the vulnerability is a heap-based buffer overflow, and it affects Sudo before 1.9.5p2. If exploited, the bug could lead to privilege escalation to root via “sudoedit-s” and a command-line argument that ends with a single backslash character. Discovered by the Qualys team of researchers, the flaw is now patched.
CVE-2021-3156 Technical Overview
The Sudo team has provided an explanation of the security issue:
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.
Qualys’s analysis reveals that a successful exploit scenario could allow unprivileged users to obtain root privileges on the vulnerable host. The team was able to “independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).”
It should be noted that “other operating systems and distributions are also likely to be exploitable.” If you are interested in the more technical aspect of the vulnerability, you can also watch the Proof-of-concept video that Qualys provided.
The most serious Sudo bug disclosed in recent years
Two other Sudo bugs were reported in the past couple of years, but CVE-2021-3156 is more severe. One of the previous bugs is CVE-2019-14287, and it involved the way Sudo implemented running commands with arbitrary user ID.
According to the official RedHat advisory, if a sudoers entry was written to allow the attacker to run a command as any user except root, the flaw could have been used by the attacker to bypass that restriction. You can read more about this older issue in our article “Sudo Bug Allows Restricted Users to Run Commands as Root“.
The other older vulnerability is CVE-2019-18634, and exploiting it was also more challenging.
As for CVE-2021-3156, Qualys reports that all Sudo installations where the sudoers file (/etc/sudoers) is present are affected. This file can be seen in nearly all default Linux+Sudo installs.
The Sudo update is already available, and it should be applied immediately.