ALERT: Update for buffer overflow in sudo

Wednesday, January 27, 2021

This information was sent to U-M IT staff groups via email January 27, 2021. It is intended for U-M IT staff who are responsible for university computers and servers running Unix-like operating systems that include the sudo utility.

Summary

A heap overflow vulnerability has been discovered in sudo, a near-ubiquitous utility for Unix-like operating systems. The vulnerability could allow any local user to obtain root privileges. Patches are available for this vulnerability, and they should be applied as soon as possible after appropriate testing. Apple hasn’t yet announced whether macOS is vulnerable, but it should be assumed to be. Mac users should apply macOS software updates when available.

Problem

The vulnerability allows any local user to gain root-level access on a vulnerable host in its default configuration.

Affected Versions

  • All legacy versions of sudo from 1.8.2 to 1.8.31p2
  • All stable versions of sudo from 1.9.0 to 1.9.5p1

Sudo is included in most if not all Unix- and Linux-based operating systems. It is an open-source command-line utility that allows users to run programs with the security privileges of another user. It is designed to give selected, trusted users administrative control when needed.

Action Items

  • Apply patches for this vulnerability as soon as possible after appropriate testing. Ubuntu, Red Hat, and others have already published patches.
  • System administrators who use sudo to delegate root privileges to their users should immediately upgrade to sudo 1.9.5p2 or later as soon as possible.
  • Mac users should apply macOS software updates when available.

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Threats

Proof-of-concept information about exploiting this vulnerability is publicly available.

Technical Details

Complete technical details are available at CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit).

Detection

According to Qualys (CVE-2021-3156), you can test whether a system is vulnerable or not by doing the following:

  1. Log in to the system as a non-root user.
  2. Run this command: sudoedit -s /
    • If the system is vulnerable, it will respond with an error that starts with “sudoedit:”
    • If the system is patched, it will respond with an error that starts with “usage:”

1/27/21, 2:40 p.m., update: Further testing at U-M of the detection instructions above has revealed that they do not always reliably detect the vulnerability on some installations. Do not rely on these diagnostics. Check for updates from your OS vendor. Note that members of the university community have reported that applying sudo patches from some vendors may not always update the version number.

How We Protect U-M

  • ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
  • ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • ITS IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.