Language Selection

English French German Italian Portuguese Spanish

Another Sudo Root Privilege Escalation Vulnerability Got Patched, Update Now

Filed under
Security

Sudo 1.9.5p2 was released today and it addresses two security issues. The first, CVE-2021-3156 (a.k.a. Baron Samedit), was discovered by Qualys Research Labs and could allow local users (sudoers and non-sudoers) to obtain unintended access to the root (system administrator) account.

In addition, the new release patches CVE-2021-23239, a vulnerability discovered in Sudo’s sudoedit utility, which could allow a local attacker to bypass file permissions and determine if a directory exists or not. This security flaw affected Sudo versions before 1.9.5.

Read more

BleepingComputer

Anti-Linux writers rejoice

The original

  • CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.

Sudo vulnerability allows attackers to gain root privileges...

3 More

  • 10-year-old Sudo Bug Lets Linux Users Gain Root-Level Access
  • Sudo Flaw Gives Linux Users Root Access | Decipher

    Researchers from Qualys uncovered a major vulnerability in an application that allows administrators to delegate limited root access to regular users. While most major Linux distributions have released fixed versions of sudo, administrators still have to verify their systems are protected. Some of the smaller distributions may not yet have incorporated the fix.

    The vulnerability allows a regular user on a system to gain root access, even if the account is not listed as one of the authorized accounts in the /etc/sudoers configuration file. The regular user account also does not need to know the password in order to exploit the vulnerability. Qualys said the flaw impacts all Sudo installs using the sudoers file—which is the case for many Linux systems. Researchers have developed exploit variants for Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2). Qualys coordinated the release of Sudo v 1.9.5p2 to fix the flaw, CVE-2021-3156 (Baron Samedit).

  • Serious 10-year-old flaw in Linux sudo command; a new version patches it | Network World

    Linux users should immediately patch a serious vulnerability to the sudo command that, if exploited, can allow unprivileged users gain root privileges on the host machine.

    Called Baron Samedit, the flaw has been “hiding in plain sight” for about 10 years, and was discovered earlier this month by researchers at Qualys and reported to sudo developers, who came up with patches Jan. 19, according to a Qualys blog. (The blog includes a video of the flaw being exploited.)

Critical Vulnerability Patched in 'sudo' Utility...

PSA: If your PC runs Linux, you should update Sudo now

  • PSA: If your PC runs Linux, you should update Sudo now

    Despite the fact that tens of thousands of contributors actively pore over the source code of the Linux kernel and various Unix utilities looking for security flaws, it’s not unheard of for serious bugs to go unnoticed. Just a day ago, the folks over at Qualys revealed a new heap-based buffer overflow attack vector that targets the “Sudo” program to gain root access. The bug this time seems to be quite serious, and the bug has existed within the codebase for almost 10 years! Although the privilege escalation vulnerability has already been patched, it could potentially be exploited on nearly every Linux distribution and several Unix-like operating systems.

An unpleasant sudo vulnerability

  • An unpleasant sudo vulnerability

    It would appear that "sudo" has a buffer-overflow vulnerability that allows any local user to gain root privileges, whether or not they are in the sudoers file. It has been there since 2011. See this advisory for details, but perhaps run an update first.

Sudo Bug Gives Root Access to Mass Numbers of Linux Systems

  • Sudo Bug Gives Root Access to Mass Numbers of Linux Systems

    Qualys said the vuln gives any local user root access to systems running the most popular version of Sudo.

    A doozy of a bug that could allow any local user on most Linux or Unix systems to gain root access has been uncovered — and it had been sitting there for a decade, researchers said.

    The bug was found in Sudo, a utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Qualys researchers named the vulnerability “Baron Samedit,” tracked as CVE-2021-3156. They said the bug popped into the Sudo code back in July 2011.

    [...]

    Here’s how the vuln works: Specifically, the bug is a heap-based buffer overflow in Sudo, which lets any local user trick it into running in “shell” mode.

    Sudo authors explained in a Tuesday advisory that when Sudo is running in shell mode, “it escapes special characters in the command’s arguments with a backslash.” Then, a policy plug-in removes any escape characters before deciding on the Sudo user’s permissions.

    But it’s not just a single bug which exposed these systems, it’s actually the combination of two bugs working in tandem in Sudo that makes the exploitation possible, the authors explained.

    “A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character,” the Sudo authors explained. “Under normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command’s arguments.”

Decade-old vulnerability is still affecting most Linux distro

  • Decade-old vulnerability is still affecting most Linux distros

    Security researchers at Qualys discovered a privilege escalation vulnerability in one of the core utilities present in all Unix-like operating systems including Linux.

    If exploited, the heap overflow vulnerability in the Sudo utility could allow any unprivileged user to gain root privileges.

    The vulnerability, which has now been patched, has existed for almost a decade, according to a blog post by Animesh Jain, a Vulnerability Signatures Product Manager at Qualys.

Cyber Command, NSA warn to patch decade-old sudo vulnerability

  • Cyber Command, NSA warn to patch decade-old sudo vulnerability

    U.S. intelligence officials are urging Amrican companies and security workers to fix a software flaw that, if exploited, would give attackers deep access to a victim machine.

    The vulnerability, which now has a patch, would have allowed unauthorized users to gain what’s known as root privileges on vulnerable hosts as early as 2011 when the flaw was introduced, researchers at the security firm Qualys found. Root access would enable hackers to obtain administrative privileges over a machine, and quietly collect sensitive information.

    The vulnerability has existed for 10 years in sudo, a common tool found on nearly all Unix and Linux-based operating systems that generally allows system administrators to give some approved users root privileges.

    The flaw affects legacy versions from 1.8.2 to 1.8.31p2 and all default versions from 1.9.0 to 1.9.5p1, according to Qualys.

‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug

  • ‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug grants Linux root access

    Cybersecurity researchers and the U.S. Cyber Command are warning users about a decade-old buffer overflow bug in sudo that can grant root access to malicious users with low level access to systems.

    The vulnerability, discovered by Qualys and nicknamed “Baron Samedit,” affects all versions of Linux Qualys has tested against. The glitch allows users, even those off of sudoers list, to gain root access. It has been patched in the latest release of sudo.

    “Any user – even the lowest of the low privileged – can access root,” said Mehul Revankar, vice president of product management and engineering at Qualys.

    Though other Sudo vulnerabilities have been found in the past, it’s rare that a bug affects any account, rather than accounts meeting specific conditions.

    “We expect millions of systems to be affected,” said Revankar.

Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux...

  • Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux Gives Attackers Free Root-Level Access

    A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users.

    As reported by ZDNet, a major vulnerability was discovered two weeks ago that impacts the Linux ecosystem tremendously. Today, the problem has been patched by an app called Sudo which permits admins in Linux to consign limited root access for other users. It was fixed with the release of the Sudo v1.9.5p2.

    [...]

    Thankfully, Sudo has already fixed this problem for the Linux ecosystem. It can be found in sudo 1.9.5p2. Sudo added that if users want to check if their version of Sudo is vulnerable, they can key in the following commands to check:

    sudoedit -s '\' 'perl -e 'print "A" x 65536''

    Ideally, you should receive a usage or error message. This indicated that your version of Sudo is not vulnerable. On the other hand, if the result that arises is a Segmentation for, then you can expect that your Sudo version is indeed vulnerable.

    Sudo's update should be applied as early as possible to prevent malicious acts by attackers. If you need to know more technical information about checking your Sudo status, you can check The Qualys advisory.

Three more pieces

  • Bug in Linux sudo command could give any user root access

    Researchers from Qualys have disclosed a vulnerability in the sudo utility that could be exploited to grant system administrator privileges to any user that is logged into a system.

    Dubbed Baron Samedit (CVE-2021-3156), Qualys recommended that users apply patches for the vulnerability immediately.

    The developers of sudo were informed about the security flaw on 13 January and the bug was patched on 19 January — a week before it was publicly disclosed.

    Sudo is a widely used program in Unix-like operating systems. Qualys confirmed that the Baron Samedit bug was present in Linux distributions such as Ubuntu, Debian, and Fedora.

  • Weekly threat roundup: Apple, SonicWall, Linux Sudo

    A significant vulnerability in the Linux Sudo command could inadvertently grant unauthorised users root access to a system, even if the account isn’t listed as an authorised account.

    Sudo allows administrators to delegate limited root access to regular users, but the vulnerability tagged CVE-2021-3156 can be exploited by an unprivileged user to gain root privileges on a vulnerable host.

    The flaw has been hiding in plain sight for nearly a decade having been introduced in July 2011, according to Qualys security researchers. Multiple versions of Sudo are therefore likely to be affected, including legacy versions 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1.

  • Decade-Old Sudo Flaw Discovered

    A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.

    Sudo is the venerable tool that allows standard users to run admin tasks on Linux distributions. Without sudo, users would have to log into the system as the root user (or change to the root user with the su command), in order to run admin commands. Seeing as how that is looked upon as a security risk, sudo has become a required tool for many Linux admins and users.

    However, it has been discovered (by researchers at Qualys) that, for nearly a decade, sudo contained a heap-based buffer overflow vulnerability. This bug could allow any unprivileged user to gain root privileges using the default sudo configuration.

Sudo Vulnerability Discovered

Researchers: Beware of 10-Year-Old Linux Vulnerability

  • Researchers: Beware of 10-Year-Old Linux Vulnerability

    The vulnerability, called "Baron Samedit" by the researchers and officially tracked as CVE-2021-3156, is a heap-based buffer overflow in the Sudo utility, which is found in most Unix and Linux operating systems.

    Sudo is a utility included in open-source operating systems that enables users to run programs with the security privileges of another user, which would them give them administrative – or superuser - privileges.

    The bug, which appears to have been added into the Sudo source code in July 2011, was not detected until earlier this month, Qualys says.

    "Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploits and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable," the researchers say.

This Week In Security: Sudo, Database Breaches, And Ransomware

  • This Week In Security: Sudo, Database Breaches, And Ransomware

    Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

    sudoedit -s '\' `perl -e 'print "A" x 65536'`

Linux sudo exploit gives root access

  • Linux sudo exploit gives root access

    Researchers have found a buffer overflow vulnerability in the Linux sudo program that means an ordinary user could give themselves root privileges.

    The Sudo command lets users act at higher security privilege levels – either as a superuser or some other user profile – so they can perform certain tasks without having full root access.

"Linux Flaw"

  • The Linux Flaw you can't afford to Ignore (CVE-2021-3156) [Ed: It is not a "Linux flaw" but a sudo flaw and it affects systems that are not Linux]

    Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Now you can make video calls on a PinePhone (but it’s very much a work in progress)

When the PinePhone began shipping to early adopters, it had all the hardware you’d expect from a smartphone, but it lacked the software needed to make some of that hardware work. If you were one of the first people to get your hands on a PinePhone, you had a Linux-friendly phone with a camera that couldn’t be used to take pictures or record video. But over time kernel and app developers got the phone’s front and rear cameras working, and now most Linux distributions for the PinePhone allow you to take pictures (of mediocre quality). One thing you couldn’t do until recently though? Video calls. But now it looks like that’s possible too… soft of. The process looks rather painful at the moment, but it should get better over time. Read more Also: Plasma Mobile tarball release: bugfixes and new releases

A warning about 5.12-rc1

  • A warning about 5.12-rc1
    Hey peeps - some of you may have already noticed that in my public git
    tree, the "v5.12-rc1" tag has magically been renamed to
    "v5.12-rc1-dontuse". It's still the same object, it still says
    "v5.12-rc1" internally, and it is still is signed by me, but the
    user-visible name of the tag has changed.
    
    
    
    
    The reason is fairly straightforward: this merge window, we had a very
    innocuous code cleanup and simplification that raised no red flags at
    all, but had a subtle and very nasty bug in it: swap files stopped
    working right.  And they stopped working in a particularly bad way:
    the offset of the start of the swap file was lost.
    
    
    
    
    Swapping still happened, but it happened to the wrong part of the
    filesystem, with the obvious catastrophic end results.
    
    
    
    
    Now, the good news is even if you do use swap (and hey, that's nowhere
    near as common as it used to be), most people don't use a swap *file*,
    but a separate swap *partition*. And the bug in question really only
    happens for when you have a regular filesystem, and put a file on it
    as a swap.
    
    
    
    
    And, as far as I know, all the normal distributions set things up with
    swap partitions, not files, because honestly, swapfiles tend to be
    slower and have various other complexity issues.
    
    
    
    
    The bad news is that the reason we support swapfiles in the first
    place is that they do end up having some flexibility advantages, and
    so some people do use them for that reason. If so, do not use rc1.
    Thus the renaming of the tag.
    
    
    
    
    Yes, this is very unfortunate, but it really wasn't a very obvious
    bug, and it didn't even show up in normal testing, exactly because
    swapfiles just aren't normal. So I'm not blaming the developers in
    question, and it also wasn't due to the odd timing of the merge
    window, it was just simply an unusually nasty bug that did get caught
    and is fixed in the current tree.
    
    
    
    
    But I want everybody to be aware of because _if_ it bites you, it
    bites you hard, and you can end up with a filesystem that is
    essentially overwritten by random swap data. This is what we in the
    industry call "double ungood".
    
    
    
    
    Now, there's a couple of additional reasons for me writing this note
    other than just "don't run 5.12-rc1 if you use a swapfile". Because
    it's more than just "ok, we all know the merge window is when all the
    new scary code gets merged, and rc1 can be a bit scary and not work
    for everybody". Yes, rc1 tends to be buggier than later rc's, we are
    all used to that, but honestly, most of the time the bugs are much
    smaller annoyances than this time.
    
    
    
    
    And in fact, most of our rc1 releases have been so solid over the
    years that people may have forgotten that "yeah, this is all the new
    code that can have nasty bugs in it".
    
    
    
    
    One additional reason for this note is that I want to not just warn
    people to not run this if you have a swapfile - even if you are
    personally not impacted (like I am, and probably most people are -
    swap partitions all around) - I want to make sure that nobody starts
    new topic branches using that 5.12-rc1 tag. I know a few developers
    tend to go "Ok, rc1 is out, I got all my development work into this
    merge window, I will now fast-forward to rc1 and use that as a base
    for the next release". Don't do it this time. It may work perfectly
    well for you because you have the common partition setup, but it can
    end up being a horrible base for anybody else that might end up
    bisecting into that area.
    
    
    
    
    And the *final* reason I want to just note this is a purely git
    process one: if you already pulled my git tree, you will have that
    "v5.12-rc1" tag, and the fact that it no longer exists in my public
    tree under that name changes nothing at all for you. Git is
    distributed, and me removing that tag and replacing it with another
    name doesn't magically remove it from other copies unless you have
    special mirroring code.
    
    
    
    
    So if you have a kernel git tree (and I'm here assuming "origin"
    points to my trees), and you do
    
    
    
    
         git fetch --tags origin
    
    
    
    
    you _will_ now see the new "v5.12-rc1-dontuse" tag. But git won't
    remove the old v5.12-rc1 tag, because while git will see that it is
    not upstream, git will just assume that that simply means that it's
    your own local tag. Tags, unlike branch names, are a global namespace
    in git.
    
    
    
    
    So you should additionally do a "git tag -d v5.12-rc1" to actually get
    rid of the original tag name.
    
    
    
    
    Of course, having the old tag doesn't really do anything bad, so this
    git process thing is entirely up to you. As long as you don't _use_
    v5.12-rc1 for anything, having the tag around won't really matter, and
    having both 'v5.12-rc1' _and_ 'v5.12-rc1-dontuse' doesn't hurt
    anything either, and seeing both is hopefully already sufficient
    warning of "let's not use that then".
    
    
    
    
    Sorry for this mess,
                 Linus
    
    
    
    
    
  • A warning about 5.12-rc1

    Linus Torvalds has sent out a note telling people not to install the recent 5.12-rc1 development kernel; this is especially true for anybody running with swap files. "But I want everybody to be aware of because _if_ it bites you, it bites you hard, and you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call 'double ungood'." Additionally, he is asking maintainers to not start branches from 5.12-rc1 to avoid future situations where people land in the buggy code while bisecting problems.

  •  
  • Linux 5.12-rc2 Likely Coming Early Due To That Nasty File-System Corruption Bug

    Linus Torvalds has now warned developers over using Linux 5.12-rc1 as a basis for their future branches and is looking to release 5.12-rc2 ahead of schedule as a result of that problematic file-system corruption bug stemming from a swap file bug. 

Games: Godot, Artifact, Loop Hero, and Urtuk: The Desolation

  • Godot Showcase - Primal Light developer interview

    Welcome to the fourth developer interview following the introduction of the Godot Showcase page! This week, we are interviewing the studio Fat Gem about their first game Primal Light.

  • Valve gives up on Artifact setting it free with Artifact Classic and Artifact Foundry | GamingOnLinux

    Valve's Dota themed card game Artifact has now well and truly failed, as they've now stopped the 2.0 redevelopment which is now named Artifact Foundry with the original as Artifact Classic and both now free to play. In a post titled "The Future of Artifact", Valve mentioned how the player count fell off dramatically and it was pretty much dead shortly after being released. Even though the big 2.0 revamp was far along in development, they've now formally and totally shelved it as they "haven't managed to get the active player numbers to a level that justifies further development at this time".

  • Loop Hero is out now and I'm going to need help to tear myself away from it | GamingOnLinux

    Loop Hero, probably the only titles I've pre-ordered in the last few years is officially out now and I really will need some help to pull myself away from running just one more loop. It's such a strange and beautifully intoxicating mix of genres. For each loop through you're placed into a world full of nothing but a path and it's up to you to build up the world each time. You do this through your deck of cards, while the hero automatically loops around the path and fights enemies along the way without your input. Even though you don't have direct control, there's quite a lot of strategy involved in it.

  • Dark low-fantasy tactical survival RPG 'Urtuk: The Desolation' is out now | GamingOnLinux

    Urtuk: The Desolation from David Kaleta presents you with a dark world in a low-fantasy settings where you guide a team of survivors through a ruined world. Note: key provided by the developer. Hitting nearly one thousand user reviews and a Very Positive rating on Steam overall, Urtuk: The Desolation seems to have managed to hit a sweet spot. Giving you tough turn-based combat, with a character progression system that sees you extracting skills and traits from fallen enemies. It's a bit of a gross world and the main character, Urtuk, is an escaped subject of experimentation with a severe mutation and worsening health. The idea is to eventually find a cure but getting there will be tough.

today's howtos

  • How to find duplicate files in Linux? Help is here with the fdupes command! - Webleit.info

    Fdupes is a command line tool that allows you to find all duplicate files through the console. The advantage over using graphical tools like fslint is of course the speed. At the end of the day, there is nothing faster and more convenient than the Linux console. Why should we look for duplicate files in Linux? No matter what operating system you use sooner or later, your computer will contain many files of different sizes, and if you’re not careful enough, repeating them can cost you disk space that you need. For example, you inadvertently downloaded the same ultra HD movie with 40 giga bytes twice.

  • How to Install Moodle with Nginx and Let's Encrypt SSL on Ubuntu 20.04

    Moodle is a free and open-source Learning Management System written in PHP. It provides a way for tutors and instructors to create courses for their students or learners. Moodle provides a robust and secure integrated system and comes with a custom dashboard that helps users to access current, past or future courses, as well as review pending work. It is used by many schools, universities, and organizations across the globe and provides a better learning experience. It provides a rich set of features including, wiki, grading, assignment submission, online quizzes, discussion boards, and more. In this tutorial, we will show you how to install Moodle with Nginx web server and Let's Encrypt SSL on Ubuntu 20.04.

  • Install WordPress Automatically on Ubuntu 20.04 using WordOps

    WordOps is a simple tool that provides the ability to deploy WordPress sites from the command line using an optimized LEMP stack. The LEMP software stack consists of a group of software that describes a Linux Operating System, an Nginx web server (pronounced engine-x), a MySQL database with the dynamic processing being handled by PHP. LEMP is an acronym for Linux, Engine-x (Nginx), MySQL and PHP. WordOps simplifies so much of the process of installing and configuring all the packages from the LEMP stack needed to deploy a site while taking care of creating virtual hosts in Nginx, installing WordPress, and even gets you a SSL certificate. It also installs some components that allow you to see statistics about the server’s workload. In this tutorial we’ll use WordOps to quickly and easily install WordPress on an Ubuntu 20.04 machine, and we’ll check out and explain some of the extra features that WordOps offers.

  • How to Find Out When a Webpage Was Published - Make Tech Easier

    When you’re doing research on a topic, it’s vital to ensure your sources are up to date. If you’re writing an academic paper, dates of publication are often required in the citations. The majority of the time, getting the date is easy: simply look on the site and find the published date to find how recent it was. Things get a little more complicated when there is no date listed on the webpage. When this happens, how do you know when a webpage was published?

  • How to install Wireshark 3.4.3 on a Chromebook

    Today we are looking at how to install Wireshark 3.4.3 on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • Another Piece For The Home Network Puzzle – A Return To Cisco IOS! – Jon's FOSS Blog

    I’ve missed the good old days of configuring and setting up good quality switching hardware (like the big, huge Cisco switches and routers I used to experiment on with their IOS command line interface). I recently ordered this newer, smaller Cisco switch which can also provide power to a new “prosumer” WiFi AP (no power cables needed).

  • Making environment variables accessible in front-end containers - Red Hat Developer

    When building a container for a single-page application using any modern JavaScript framework (such as Angular, React, or Vue.js), you might find that the configuration settings are different depending on where the container will run. A typical case would be the base URL for your API, which will differ depending on whether you are testing the application or deploying it into production. Developers usually solve this problem using environment variables. Environment variables typically work on the backend because that is where code runs. But what if your application lives in the user’s browser? There are many ways around this limitation. In some cases, you might build a server whose endpoint holds the necessary parameters. Another workaround is to use PHP to inject the environment variables as globals in the JavaScript code. Both of these options work, but it would be ideal to inject the environment variables as part of the container build process. That way, you don’t have to change the codebase, and you can still deliver the application content using a static web server like NGINX. This article shows you how to inject environment variables directly into your codebase as you build your container.

  • The Strange Case of How We Escaped the Docker Default Container

    TL;DR During an internal container-based Red Team engagement, the Docker default container spontaneously and silently changed cgroups overnight, which allowed us to escalate privileges and gain...

  • How to copy and paste between host and VM