10-year old security vulnerability in sudo fixed (CVE-2021-3156)

[Wrichik Basu]

TL;DR Summary

There was a serious vulnerability in Linux sudo command which, if exploited, allowed any user to gain root privileges on any machine.

There was a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character.

The vulnerability was discovered earlier this month by researchers at Qualys and reported to the developers. Check out their blog for details. The blog post also has a video demonstrating the vulnerability:

​

According to this website, you can check whether your system is vulnerable in the following way:

Another way to determine if your systems are vulnerable is to run a command such as sudoedit -s /. If the command returns a usage statement, your system is OK. If it returns an error starting with sudoedit, you need the patch.

In Ubuntu, the patched sudo version depends on the version of the OS you are running. See this page for details.

Make sure you update your computer(s) if you are running Linux!

 

[jedishrfu]

This applies to WSL on Windows too! Yikes!

Jedi

-----------------------------------------

The real classic vulnerability was described in the Cuckoo's Egg book by Cliff Stoll where the hacker used a trick of editing a file remotely, disconnecting, and signing back on again.

https://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)

and the spy

https://en.wikipedia.org/wiki/Markus_Hess

The trick was prior to that action he had created a script file called bin and had replaced the / character in an environment parameter with a space character.

When the VI editor went to save the file during the disconnect it would use superuser mode to save it with permissions for the specific user acct that was editing it and send an email to that user indicating where the file could be found in the /tmp directory.

Vi would call "/bin/mail" but the environment change meant it called "bin mail" and so whatever commands he placed in the bin command would be executed in superuser mode and so he created his own superuser acct via that route.

-------------------

Another classic vulnerability was when Unix allowed admins to send its source code which it would compile and save in the /bin or /usr/bin directories.

You can imagine the fun hackers had with this feature. I think the Morris worm used it way back when.

https://en.wikipedia.org/wiki/Morris_worm

 

[pbuk]

Summary:: There was a serious vulnerability in Linux sudo command which, if exploited, allowed any user to gain root privileges on any machine.

...

Make sure you update your computer(s) if you are running Linux!

Well yes, you should always keep your OS up to date, but this vulnerability is not a material threat to anyone using Linux on their personal computer because there is no way an attacker can access a normal user session in order to be able to escalate it using the vulnerable sudoedit.

This applies to WSL on Windows too! Yikes!

Doesn't every WSL session run with sudo privileges anyway?

 

[jim mcnamara]

No ubuntu WSL does not run with sudo privileges by default - 16.04 ubuntu, windows 10 build 19041 on my box. The bug is not invoked with the 'sudoedit -s /' command. From what was said it appears that WSL must have been patched to fix the bug. Never tried that command until now.

 

[pbuk]

No ubuntu WSL does not run with sudo privileges by default - 16.04 ubuntu, windows 10 build 19041 on my box.

Really? How do you do anything with it then? From https://docs.microsoft.com/en-us/windows/wsl/user-support:

Once you have enabled WSL and installed a Linux distribution from the Microsoft Store, the first step you will be asked to complete when opening your newly installed Linux distribution is to create an account, including a User Name and Password.

• This User Name and Password is specific to each separate Linux distribution that you install and has no bearing on your Windows user name.
• Once you create a User Name and Password, the account will be your default user for the distribution and automatically sign-in on launch.
• This account will be considered the Linux administrator, with the ability to run sudo (Super User Do) administrative commands.

From what was said it appears that WSL must have been patched to fix the bug.

Isn't the bug in the the Linux distro itself rather than WSL so it will have been fixed if you have done sudo apt update, or maybe unattended-upgrades is enabled by default?

 

[jim mcnamara]

Updates are enabled, yes. And if sudo privs were obtained via sudo "at login" or instantiation of the WSL object then

su root  #or another name

would not cause a sudo prompt. Try it. Are we talking past each other? Or do I fail to understand some basic tenet of sudo? Too much HP-UX...

 

[pbuk]

Are we talking past each other?

Yes I think we must be

 

[jedishrfu]

in yet another twist, it affects macos too:

https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/#ftag=RSSbaffb68

 

[pbuk]

in yet another twist, it affects macos too:

https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/#ftag=RSSbaffb68

Its difficult to see that as a 'twist', it was pretty much inevitable (unless Apple had found the bug sometime in the last 10 years since it was introduced, forked sudo, patched the code to fix the bug and not told anyone about it: this would be antisocial behavior even for Apple).

But it is still only something for IT departments to worry about, the 'OMG' reactions here are the result of a cognitive bias* that is out of place in a forum with a scientific basis. There are plenty of real threats to individuals' data security to worry about (for example phishing and social engineering); inflating concern about a non-material threat is only good for increasing clicks on media sites and diverting attention away from malicious activity.

* I can't remember the term for this specific bias (exaggerating the importance of threats that have a complicated technical aspect) - perhaps it is just 'fear of the unknown'.