Security I Trust

Baron Samedit -CVE-2021-3156 – Sudo bug lets attackers gain root access

CVE-2021-3156 Sudo bug lets attackers gain root-level access to Linux

 

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.

 

 

A major vulnerability that impacts most Sudo in Linux distributions has been identified, this bug appears to have existed back as far as 2011. The CVE identifier for this vulnerability is CVE-2021-3156, the bug has also been given the name “Baron Samedit”. The vulnerability was discovered by the Qualys two weeks ago and patches were released for some Linux distribution on the 27 of January. The patched version of Sudo is v1.9.5p2.

 

Exploit

To exploit this Sudo bug the attacker first needs to gain access to a low privileged account, from there the attacker can run the exploit to gain root access. The exploit will work even if the low privileged account isn’t listed in /etc/sudoers — a config file.

 

Risk

If this bug is exploited the hacker can easily gain root access, which means the hacker has full control over the compromised server.

  •  Easy to Weaponised
  • Gives attacker privileged access
  • Vulnerable exists in the default configuration

If you have secured your Linux server preventing anyone from being able to log in from across the internet, then the external exposure risk to your server should be low.

 

Solution

Apply the latest Sudo update as soon as possible to avoid unwanted surprises from both botnet operators and malicious insiders (rogue employees).

 

Attacks

Attacks will most likely come from botnets or malicious insiders.

Malicious insiders may be rogue employees, or attackers that already have a foothold in your corporate network.

 

References:

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit#rapid7-analysis

Leave a Reply