CVE-2021-3156: The Sudo Bug Which Broke The Internet

CVE 2021 3156

Recently, Qualys released CVE-2021-3156: a deadly sudo bug that has been there for 10 years and not only affects Linux, but also macOS, AIX, and Solaris. In this module, we will go over some crucial aspects of it in a very easy-to-follow manner.

What Is CVE-2021-3156?

CVE-2021-3156 is a heap exploit which effects the sudo binary which is almost ubiquitous on all Unix like Operating Systems.

Breaking it down, a buffer overflow in the heap can be exploited by ANY local user, no matter what the privilege levels, to gain root access to the system.

Which Versions Of Sudo Are Affected By This ?

The vulnerability affects all of the following sudo versions:

  • All legacy versions from 1.8.2 to 1.8.31p2
  • All stable versions from 1.9.0 to 1.9.5p1

The bug seems to be there for about 10 years now ! It was introduced in July 2011 (commit 8255ed69). The vulnerability also present in MacOS Big Sur and many other UNIX like systems.

What Causes The Bug?

In this demonstration, we would need sudoedit which is just a symlink to sudo

$ file /usr/bin/sudoedit
/usr/bin/sudoedit: symbolic link to sudo

According to Baron Samedit:

  1. executing sudo in “shell” mode (shell -c command)
  2. executing sudoedit with -s (MODE_SHELL) flag or -i (MODE_LOGIN_SHELL) shell
  3. The bug in sudo, pertaining to the sudoedit command, can be exploited to avoid the escape sequence characters and overflow the heap-based buffer via a command line argument that ends with a single backslash character.

This particular vulnerability can be exploited by an attacker to overflow a buffer and control it’s size ( often using a nop sled ) which can lead to command execution with root privileges.

How To Check If Your Sudo Version Is Vulnerable ?

To check if your sudo version is vulnerable, you can type:

$ sudoedit -s '\'

If you get an error message as such, know that your sudo version is vulnerable :

$ sudoedit -s '\'
Segmentation Fault (core dumped)

How Do We Fix This Bug?

In order to fix this, we need to upgrade our sudo version. This can be done by using your distribution’s package manager. For example, on Ubuntu/Debian, you can use the apt package manager:

$ sudo apt update && sudo apt --only-upgrade install sudo

On Arch based systems, this can be resolved with:

$ sudo pacman -Syu

For Fedora/Red Hat/CentOS:

$ sudo dnf update

For SUSE and OpenSUSE:

$ sudo zypper lp -a | grep -i sudo
$ sudo zypper up

Post update, you can check your sudo version with:

$ sudo --version
Sudo version 1.9.5p2

If your version is 1.9.5p2 or later, congrats! You have patched your system. Note that the above bug has been fixed in the stable Debian distribution (buster) with version 1.8.27-1+deb10u3

Doing a subsequent check, we get:

$ sudoedit -s  '\'
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Hence we no longer get the Segmentation Fault! Hence our bug has been fixed! CVE-2021-3156? Vulnerable No More!

Conclusion

CVE-2021-3156 is one of the more notorious bugs because of its nature which can allow ANY USER to gain root access. This means that if an attacker gains a foothold on your system, even as a low priority user like www-data, they can compromise the whole machine by compromising root. Also, the sudo binary is considerably bloated and users are inclined to shift to doas as a new way to execute commands which require root privileges. You can read the full Qualy’s report here!