Sudo security issue – CVE-2021-3156

According to CVE there is a major bug found in sudo. Yes, that command we use to elevate rights on Linux systems. CVE states that “Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character’. Even if this issue was exposed a while ago there are stil many servers that need to be patched.

How to check

Bellow we have a Ubuntu 20.04 server and the commands necesarry to check if our system is vulnerable. This can be applied to any Linux system.

To check sudo version:

user@server:~$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

The vulnerable version will have the following or similar output to the command “sudoedit -s /” :

user@server:~$ sudoedit -s /
sudoedit: /: not a regular file

If the system is patched the output is:

user@server:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Qualys, the security company who discovered the bug, states that macOS, AIX and Solaris are also affected by this heap overflow vulnerability in sudo. The proof of concept can be found in this video.

How to fix it

To patch sudo with the lastest version, go to Sudo download page and get the lastest version, you can find the steps bellow. At the time of the post the latest version is sudo-1.9.6p1.

tar xzvf sudo-1.9.6p1.tar.gz
cd sudo-1.9.6p1
make && sudo make install

The easy way is to run sudo apt upgrade or sudo yum upgrade, this will patch the issue but may not upgrade to the latest version.

This vulnerability is a big issue and the patch must be applied as soon as possible in order to close the breach existent in a Linux system.