Just in Time Bulletin: CVE-2021-3156

What is CVE-2021-3156? 

CVE-2021-3156 is a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems, including Debian, Ubuntu, Kali Linux and more. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability, provided that the user is included in a “sudoer” list.

Qualys security researchers who discovered the nearly 10-year-old bug (CVE-2021-3156) say it was first introduced in July 2011 and impacts all versions of sudo from 1.8.2 to 1.8.31p2 and 1.9.0 through 1.9.5p1.

How bad is this? 

Active exploitation today: Exploited in the wild

Severity: Critical

  • Credentials are required for the sudoer unprivileged user
  • privilege escalation to root

The successful exploitation of CVE-2021-3156 allows an attacker to gain root-level (administrative) access on Linux and Unix systems, even if the account has no rights granted via sudo.

Who is affected by this? 

  • Red Hat Enterprise Linux 6 Extended Lifecycle Support
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 7.2 Advanced Update Support
  • Red Hat Enterprise Linux 7.3 Advanced Update Support
  • Red Hat Enterprise Linux 7.4 Advanced Update Support
  • Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  • Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 7.6 Extended Update Support
  • Red Hat Enterprise Linux 7.7 Extended Update Support
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 8.1 Extended Update Support
  • Red Hat Enterprise Linux 8.2 Extended Update Support
  • Red Hat Virtualization 4
  • Ubuntu 20.10 
    • sudo – 1.9.1-1ubuntu1.1
    • sudo-ldap – 1.9.1-1ubuntu1.1
  • Ubuntu 20.04
    • sudo – 1.8.31-1ubuntu1.2
    • sudo-ldap – 1.8.31-1ubuntu1.2
  • Ubuntu 18.04
    • sudo – 1.8.21p2-3ubuntu1.4
    • sudo-ldap – 1.8.21p2-3ubuntu1.4
  • Ubuntu 16.04
    • sudo – 1.8.16-0ubuntu1.10
    • sudo-ldap – 1.8.16-0ubuntu1.10
  • Debian 8 (jessie)
  • Debian 9 (stretch)
  • Debian 10 (buster)
  • Debian (Bullseye)
  • Debian (sid)
  • Fedora 33
  • Gentoo any version older than 1.9.5_p2

How are they exploited? 

Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.

How do I protect myself? 

The bug has been fixed in sudo 1.9.5p2, downloadable from here.

Patched vendor-supported versions have been provided by Ubuntu, RedHat, Debian, Fedora, Gentoo, and others.

Additional Resources: