Researchers: Beware of 10-Year-Old Linux VulnerabilityQualys Says Flaw in Sudo Utility Could Grant Attackers Root Access
A recently discovered 10-year-old bug, if exploited, could give hackers root access to vulnerable Linux and Unix operating systems, the security firm Qualys says. Security experts are urging users to immediately implement a patch to mitigate the risk.
The vulnerability, called "Baron Samedit" by the researchers and officially tracked as CVE-2021-3156, is a heap-based buffer overflow in the Sudo utility, which is found in most Unix and Linux operating systems.
Sudo is a utility included in open-source operating systems that enables users to run programs with the security privileges of another user, which would them give them administrative – or superuser - privileges.
The bug, which appears to have been added into the Sudo source code in July 2011, was not detected until earlier this month, Qualys says.
"Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploits and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable," the researchers say.
After Qualys notified the authors of Sudo, a patch was included in version 1.5.5p2, published this week.
Qualys and the Sudo authors are urging Linux and Unix users to immediately patch systems. Rob Joyce, who was recently named director of the National Security Agency's Cybersecurity Directorate, also flagged the alert on Twitter.
Got Root? You do now with CVE-2021-3156 privilege escalation in SUDO. Exploitable Heap-based buffer overflow in a utility that is available in almost all major linux/unix OS versions. https://t.co/aOIRmNRQ09— Rob Joyce (@RGB_Lights) January 26, 2021
How the Bug Works
The Baron Samedit bug could be exploited by a local user even if that user isn’t listed in the sudoers file. Also, user authentication is not required to exploit the flaw, according to the notification from the Sudo authors.
The overflow happens when the out-of-bounds characters are copied to the "user args" buffer file, according to Qualys.
"Because a command is not actually being run, sudo does not escape special characters," according to the Sudo advisory. "Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable."
The Qualys researchers created a video showing three proof-of-concept attacks that could be used to exploit the vulnerability. The researchers did not say if any attacks had been spotted in the wild.
Roy Horev, co-founder and CTO at security firm Vulcan Cyber, says the good news about the vulnerability is that it requires a local user to start the attack. If that is successful, however, the damage to an open-source system could be extensive.
"The bad news is that the 'user to root' escalation with such ease, inside a security-oriented mechanism, is scary," Horev says. "The root is the superuser in Linux. Every user wants to escalate itself to root. In this scenario, it's very easy to make a transition that should be 100% impossible."
Other researchers have also found vulnerabilities that could affect Linux systems. Earlier this month, Intezer Labs discovered a remote access Trojan, dubbed ElectroRAT, that has been stealing cryptocurrency from digital wallets over the past year and has the ability to target multiple operating systems, including Linux (see: ElectroRAT Malware Targets Cryptocurrency Wallets).
Also, researchers at Check Point Research are tracking a new botnet called "FreakOut" that is targeting vulnerable Linux systems (see: 'FreakOut' Botnet Targets Unpatched Linux Systems).