Written by Joe Helle, Security Engineer
In early February 2021, Qualys released information regarding CVE-2021-3156, a buffer overflow vulnerability in Linux’ Sudo program. Utilizing a released exploit, unprivileged users can elevate their privileges to the root user on vulnerable hosts through exploiting the vulnerability. The Sudo program is a common Unix and Linux program that allows lower privileged users to execute programs with security privileges of other users, including root.
The vulnerability, coined “Baron Samedit,” was introduced a decade ago in Sudo commit 8255ed69. Vulnerable Sudo versions include older 1.8 versions, as well as every stable version between 1.9.0 and 1.9.5p1 in their stable configurations. To date, Ubuntu 20.04 and 18.04, Debian 10, and Fedora have been confirmed as vulnerable. Due to the wide-ranging use of Sudo, it is certain that other Unix and Linux operating systems are vulnerable.
Major endpoint vendors and OS distros have begun rolling out updates to secure the vulnerable Sudo service. It is expected that updates to lesser-known or used endpoints and OS versions will have a delayed update or may not be updated at all. If these distros are utilized, we recommend migrating to more well-known and supported versions of Linux.
To determine if your system is vulnerable, you can run the following command in a Linux terminal – sudoedit -s ‘\’ $(python3 -c ‘print(“A”*1000)’). If the response contains “malloc(): memory corruption Aborted (core dumped)”, your system is vulnerable and needs to be patched.
If you are concerned about the possibility of this type of attack in your enterprise environment and need technical guidance on prevention, our teams can assist. The Security Team at Integration Partners can assist with testing this vulnerability in your environment. Please contact us using the form below for more information, and a member of the Integration Partners team will reach out.