Researchers from Qualys uncovered a major vulnerability in an application that allows administrators to delegate limited root access to regular users. While most major Linux distributions have released fixed versions of sudo, administrators still have to verify their systems are protected. Some of the smaller distributions may not yet have incorporated the fix.
The vulnerability allows a regular user on a system to gain root access, even if the account is not listed as one of the authorized accounts in the /etc/sudoers configuration file. The regular user account also does not need to know the password in order to exploit the vulnerability. Qualys said the flaw impacts all Sudo installs using the sudoers file—which is the case for many Linux systems. Researchers have developed exploit variants for Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2). Qualys coordinated with major distributions to fix the flaw, CVE-2021-3156 (Baron Samedit), and made the details of the vulnerability public after both Ubuntu and Red Hat had released the fixed version of Sudo.
"Other operating systems and distributions are also likely to be exploitable," Qualys said in its advisory.
The code containing the buffer overflow was introduced into sudo back in 2011, so it affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
Sudo is based on the principle of least privilege, where users receive just enough permissions to get their work done and have to request elevated privileges on a task-by-task basis. This way, users don't have to have too many higher-level privileges which could be abused, but they can perform certain administrator-level tasks without logging in as root (the superuser account). Anyone with access to a regular user account (the user, a malware that has compromised the account, an attacker who had phished the credentials) can trigger the vulnerability to obtain administrative privileges over the machine and collect sensitive information or execute unauthorized code.
The National Security Agency warned this week of how prevalent and damaging this issue could be for those who don’t apply patches for the flaw.
It’s “a utility that is available in almost all major linux/unix OS versions,” said Rob Joyce, who has been serving as the NSA’s top intelligence officer in the U.K., where he is responsible for liaising with the U.K.’s Government Communications Headquarters or GCHQ.
Linux administrators who allow users to get elevated privileges using sudo ("available in almost all major linux/unix OS versions," as incoming cybersecurity director of the National Security Agency Rob Joyce said on Twitter) should upgrade the version of Sudo they are running to the fixed version as soon as possible. While the fixed version is sudo 1.9.5p2, some distributions have backported the fix, so administrators cannot just check version names to determine if they are vulnerable. For example, Ubuntu 20.10 backported the fix to sudo 1.9.1, or sudo 1.9.1-1ubuntu1.1.
One way to test the system is to log in as a non-root users and run sudoedit -s / from the shell. Vulnerable systems will throw an error starting with sudoedit: while patched ones will display an error starting with usage:.
The heap-based buffer overflow issue is triggered by Sudo incorrectly handling backslashes in the arguments, according to the changelog file for sudo 1.9.5p2. Sudo normally escapes special characters (special way to handle the characters so that they are treated as normal characters) such as backslashes when running a command via a shell, but the researchers found that it was possible to cause a buffer overflow when running a command with those characters with sudoedit, which did not have the same escape handling.
While Macs don't have sudoedit on the systems, there are reports suggesting that Macs can also be vulnerable. creating a symlink a soft link referencing a different file or directory) pointing to sudo returns the error message that indicates a vulnerable system. It isn't clear yet whether the issue can be triggered on Macs using this method, but it is another thing for administrators to note.
Researchers have identified two other vulnerabilities in Sudo elevating regular users to have administrative privileges over the past two years, but this flaw is the easiest to exploit, making it more dangerous. They—CVE-2019-14287 (-1 UID) and CVE-2019-18634 (pwfeedback)—were hard to exploit because they required non-standard configurations. In comparison, the latest vulnerability could easily be weaponized to use as part of a larger attack.
“We recommend applying patches as soon as available. This is a far more dangerous #Sudo vulnerability than seen in the rescent past,” Cyber National Mission Force, a group within the Department of Defense’s Cyber Command, posted a warning on Twitter to system administrators to pay attention to the issue.