Baron Samedit -CVE-2021-3156 – Sudo bug lets attackers gain root access
2 min readCVE-2021-3156 Sudo bug lets attackers gain root-level access to Linux
Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.
A major vulnerability that impacts most Sudo in Linux distributions has been identified, this bug appears to have existed back as far as 2011. The CVE identifier for this vulnerability is CVE-2021-3156, the bug has also been given the name “Baron Samedit”. The vulnerability was discovered by the Qualys two weeks ago and patches were released for some Linux distribution on the 27 of January. The patched version of Sudo is v1.9.5p2.
Exploit
To exploit this Sudo bug the attacker first needs to gain access to a low privileged account, from there the attacker can run the exploit to gain root access. The exploit will work even if the low privileged account isn’t listed in /etc/sudoers — a config file.
Risk
If this bug is exploited the hacker can easily gain root access, which means the hacker has full control over the compromised server.
- Easy to Weaponised
- Gives attacker privileged access
- Vulnerable exists in the default configuration
If you have secured your Linux server preventing anyone from being able to log in from across the internet, then the external exposure risk to your server should be low.
Solution
Apply the latest Sudo update as soon as possible to avoid unwanted surprises from both botnet operators and malicious insiders (rogue employees).
Attacks
Attacks will most likely come from botnets or malicious insiders.
Malicious insiders may be rogue employees, or attackers that already have a foothold in your corporate network.
References:
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit#rapid7-analysis