Remember CVE-2021-3156, also known as Baron Samedit? It is a recently disclosed vulnerability affecting nearly the entire Linux ecosystem.
CVE-2021-3156 Also Affects macOS
According to the latest research, Linux is not the only environment that the vulnerability affects. Researcher Matthew Hickey says that the CVE-2021-3156 bug also impacts macOS. Only minor changes to the original exploit are needed to exploit the bug on macOS.
The original description indicated that the vulnerability is a heap-based buffer overflow, affecting Sudo before 1.9.5p2. If exploited, the bug could lead to privilege escalation to root via “sudoedit-s” and a command-line argument that ends with a single backslash character.
A successful exploit scenario could allow unprivileged users to obtain root privileges on the vulnerable host. Qualys, the company that reported the flaw, indepently verified it and developed multiple variants of exploit to obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).
However, now it turns out that Macs running the latest version of Big Sur, 11.2, are also prone to the exploit. What is worse is that currently, Apple doesn’t have a fix for it.
“CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0. Fun for @p0sixninja,” the researcher shared on Twitter.
Vulnerability analyst Will Dormann confirmed the issue in macOS Big Sur on both x86_64 and aarch64.
Qualys, the security firm that first reported the bug, has updated their original advisory with the macOS details. However, the company hasn’t verified the exploit independently.
It is noteworthy that CVE-2021-3156 is considered the most severe Sudo issue in recent years. Two other bugs were reported in the past couple of years, but they weren’t as dangerous as this one.