[RITL] FW: [cv-announce-l] Heap-based Buffer Overflow in sudo (CVE-2021-3156)

Chuck Forsyth charles.forsyth at ucr.edu
Tue Jan 26 14:35:15 PST 2021 

Dear RITL,

Please be aware.
I know many of our systems use sudo.

Regards,
Chuck Forsyth

From: Terry Fleury <tfleury at illinois.edu>
Sent: Tuesday, January 26, 2021 2:15 PM
To: cv-announce at trustedci.org
Subject: [cv-announce-l] Heap-based Buffer Overflow in sudo (CVE-2021-3156)


CI Operators:

A heap-based buffer overflow vulnerability that could lead to privilege escalation has been discovered in 'sudo' [1] (CVE-2021-3156 [2]). The vulnerable code was introduced in 2011 and affects all legacy versions of sudo from v1.8.2 to v1.8.31p2, and all stable versions from v1.9.0 to v1.9.5p1, using default configurations.


Impact:

The vulnerability is exploitable by any local user. The attacker does not need to know the user's password, nor be a part of any sudoers list. Successful exploitation of this vulnerability could lead to privilege escalation.


How to Check:

As a non-root user account, run the following:

    sudoedit -s '\' `perl -e 'print "A" x 65536'`

A vulnerable system will segfault or show a similar error indicating memory corruption.


Affected Software:

* sudo 1.8.25p1 (CentOS 8)

* sudo 1.8.19p1 (Debian 9)

* sudo 1.8.27   (Debian 10)

Note: Other OS and distributions are also likely to be exploitable.


Recommendation:

If your system has local user accounts, update to the latest version of 'sudo' available for your operating system. After updating, run the command in "How to Check" above to verify the patch. Until then, one potential mitigation is to use 'systemtap' as described in the RedHat announcement for this issue [3].


References:

[1] https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156

[3] https://access.redhat.com/security/cve/CVE-2021-3156


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


You are receiving this message because you are subscribed to cv-announce at trustedci.org<https://list.iu.edu/sympa/subscribe/cv-announce-l>. The archive of previous alerts<https://list.iu.edu/sympa/arc/cv-announce-l> is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe<https://list.iu.edu/sympa/sigrequest/cv-announce-l>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20210126/7f92e812/attachment.html>

More information about the RITL mailing list