Security researchers from Qualys have identified a critical heap buffer overflow vulnerability in sudo that can be exploited by rogue users to take over the host system.
Sudo is an open-source command-line utility widely used on Linux and other Unix-flavored operating systems. It is designed to give selected, trusted users administrative control when needed.
The bug (CVE-2021-3156) found by Qualys, though, allows any local user to gain root-level access on a vulnerable host in its default configuration. Qualys is disclosing its findings in a coordinated release with operating systems vendors, and has bestowed the errant code with the memorable name of the mythical mischief-maker Baron Samedi.
The following versions of sudo are affected: 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. Qualys developed exploits for several Linux distributions, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), and the security biz believes other distributions are vulnerable, too.
In their write-up, Qualys researchers explain, “
set_cmnd()is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the ‘user_args’ buffer were not included in its size.”
The bug was introduced in July 2011 (commit 8255ed69) and has persisted unfixed until now.