<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Dear RITL,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Please be aware.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I know many of our systems use sudo.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Regards,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#0B5AB2">Chuck Forsyth</span></b><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> Terry Fleury <tfleury@illinois.edu>
<br>
<b>Sent:</b> Tuesday, January 26, 2021 2:15 PM<br>
<b>To:</b> cv-announce@trustedci.org<br>
<b>Subject:</b> [cv-announce-l] Heap-based Buffer Overflow in sudo (CVE-2021-3156)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">CI Operators:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">A heap-based buffer overflow vulnerability that could lead to privilege escalation has been discovered in 'sudo' [1] (CVE-2021-3156 [2]). The vulnerable
code was introduced in 2011 and affects all legacy versions of sudo from v1.8.2 to v1.8.31p2, and all stable versions from v1.9.0 to v1.9.5p1, using default configurations.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Impact:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">The vulnerability is exploitable by any local user. The attacker does not need to know the user's password, nor be a part of any sudoers list. Successful
exploitation of this vulnerability could lead to privilege escalation.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">How to Check:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">As a non-root user account, run the following:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Courier New""> sudoedit -s '\' `perl -e 'print "A" x 65536'`</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">A vulnerable system will segfault or show a similar error indicating memory corruption.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Affected Software: </span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">* sudo 1.8.25p1 (CentOS 8)</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">* sudo 1.8.19p1 (Debian 9)</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">* sudo 1.8.27 (Debian 10)</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Note: Other OS and distributions are also likely to be exploitable.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Recommendation:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">If your system has local user accounts, update to the latest version of 'sudo' available for your operating system. After updating, run the command in
"How to Check" above to verify the patch. Until then, one potential mitigation is to use 'systemtap' as described in the RedHat announcement for this issue [3].</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">References:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[1]
<a href="https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit">
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit</a></span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[2]
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156</a></span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[3]
<a href="https://access.redhat.com/security/cve/CVE-2021-3156">https://access.redhat.com/security/cve/CVE-2021-3156</a></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">How Trusted CI can help:</span><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure
deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (</span><a href="https://trustedci.org/help/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">https://trustedci.org/help/</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif">)
if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">You are receiving this message because you are subscribed to
</span><a href="https://list.iu.edu/sympa/subscribe/cv-announce-l"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">cv-announce@trustedci.org</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif">.
</span><a href="https://list.iu.edu/sympa/arc/cv-announce-l"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">The archive of previous alerts</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> is publicly accessible.
If you prefer not to receive future alerts, </span><a href="https://list.iu.edu/sympa/sigrequest/cv-announce-l"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">you can unsubscribe</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif">.</span><o:p></o:p></p>
</div>
</body>
</html>