Language Selection

English French German Italian Portuguese Spanish

Another Sudo Root Privilege Escalation Vulnerability Got Patched, Update Now

Filed under
Security

Sudo 1.9.5p2 was released today and it addresses two security issues. The first, CVE-2021-3156 (a.k.a. Baron Samedit), was discovered by Qualys Research Labs and could allow local users (sudoers and non-sudoers) to obtain unintended access to the root (system administrator) account.

In addition, the new release patches CVE-2021-23239, a vulnerability discovered in Sudo’s sudoedit utility, which could allow a local attacker to bypass file permissions and determine if a directory exists or not. This security flaw affected Sudo versions before 1.9.5.

Read more

BleepingComputer

Anti-Linux writers rejoice

The original

  • CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.

Sudo vulnerability allows attackers to gain root privileges...

3 More

  • 10-year-old Sudo Bug Lets Linux Users Gain Root-Level Access
  • Sudo Flaw Gives Linux Users Root Access | Decipher

    Researchers from Qualys uncovered a major vulnerability in an application that allows administrators to delegate limited root access to regular users. While most major Linux distributions have released fixed versions of sudo, administrators still have to verify their systems are protected. Some of the smaller distributions may not yet have incorporated the fix.

    The vulnerability allows a regular user on a system to gain root access, even if the account is not listed as one of the authorized accounts in the /etc/sudoers configuration file. The regular user account also does not need to know the password in order to exploit the vulnerability. Qualys said the flaw impacts all Sudo installs using the sudoers file—which is the case for many Linux systems. Researchers have developed exploit variants for Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2). Qualys coordinated the release of Sudo v 1.9.5p2 to fix the flaw, CVE-2021-3156 (Baron Samedit).

  • Serious 10-year-old flaw in Linux sudo command; a new version patches it | Network World

    Linux users should immediately patch a serious vulnerability to the sudo command that, if exploited, can allow unprivileged users gain root privileges on the host machine.

    Called Baron Samedit, the flaw has been “hiding in plain sight” for about 10 years, and was discovered earlier this month by researchers at Qualys and reported to sudo developers, who came up with patches Jan. 19, according to a Qualys blog. (The blog includes a video of the flaw being exploited.)

Critical Vulnerability Patched in 'sudo' Utility...

PSA: If your PC runs Linux, you should update Sudo now

  • PSA: If your PC runs Linux, you should update Sudo now

    Despite the fact that tens of thousands of contributors actively pore over the source code of the Linux kernel and various Unix utilities looking for security flaws, it’s not unheard of for serious bugs to go unnoticed. Just a day ago, the folks over at Qualys revealed a new heap-based buffer overflow attack vector that targets the “Sudo” program to gain root access. The bug this time seems to be quite serious, and the bug has existed within the codebase for almost 10 years! Although the privilege escalation vulnerability has already been patched, it could potentially be exploited on nearly every Linux distribution and several Unix-like operating systems.

An unpleasant sudo vulnerability

  • An unpleasant sudo vulnerability

    It would appear that "sudo" has a buffer-overflow vulnerability that allows any local user to gain root privileges, whether or not they are in the sudoers file. It has been there since 2011. See this advisory for details, but perhaps run an update first.

Sudo Bug Gives Root Access to Mass Numbers of Linux Systems

  • Sudo Bug Gives Root Access to Mass Numbers of Linux Systems

    Qualys said the vuln gives any local user root access to systems running the most popular version of Sudo.

    A doozy of a bug that could allow any local user on most Linux or Unix systems to gain root access has been uncovered — and it had been sitting there for a decade, researchers said.

    The bug was found in Sudo, a utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Qualys researchers named the vulnerability “Baron Samedit,” tracked as CVE-2021-3156. They said the bug popped into the Sudo code back in July 2011.

    [...]

    Here’s how the vuln works: Specifically, the bug is a heap-based buffer overflow in Sudo, which lets any local user trick it into running in “shell” mode.

    Sudo authors explained in a Tuesday advisory that when Sudo is running in shell mode, “it escapes special characters in the command’s arguments with a backslash.” Then, a policy plug-in removes any escape characters before deciding on the Sudo user’s permissions.

    But it’s not just a single bug which exposed these systems, it’s actually the combination of two bugs working in tandem in Sudo that makes the exploitation possible, the authors explained.

    “A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character,” the Sudo authors explained. “Under normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command’s arguments.”

Decade-old vulnerability is still affecting most Linux distro

  • Decade-old vulnerability is still affecting most Linux distros

    Security researchers at Qualys discovered a privilege escalation vulnerability in one of the core utilities present in all Unix-like operating systems including Linux.

    If exploited, the heap overflow vulnerability in the Sudo utility could allow any unprivileged user to gain root privileges.

    The vulnerability, which has now been patched, has existed for almost a decade, according to a blog post by Animesh Jain, a Vulnerability Signatures Product Manager at Qualys.

Cyber Command, NSA warn to patch decade-old sudo vulnerability

  • Cyber Command, NSA warn to patch decade-old sudo vulnerability

    U.S. intelligence officials are urging Amrican companies and security workers to fix a software flaw that, if exploited, would give attackers deep access to a victim machine.

    The vulnerability, which now has a patch, would have allowed unauthorized users to gain what’s known as root privileges on vulnerable hosts as early as 2011 when the flaw was introduced, researchers at the security firm Qualys found. Root access would enable hackers to obtain administrative privileges over a machine, and quietly collect sensitive information.

    The vulnerability has existed for 10 years in sudo, a common tool found on nearly all Unix and Linux-based operating systems that generally allows system administrators to give some approved users root privileges.

    The flaw affects legacy versions from 1.8.2 to 1.8.31p2 and all default versions from 1.9.0 to 1.9.5p1, according to Qualys.

‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug

  • ‘One of the most beautiful bugs I’ve seen’: Decade-old sudo bug grants Linux root access

    Cybersecurity researchers and the U.S. Cyber Command are warning users about a decade-old buffer overflow bug in sudo that can grant root access to malicious users with low level access to systems.

    The vulnerability, discovered by Qualys and nicknamed “Baron Samedit,” affects all versions of Linux Qualys has tested against. The glitch allows users, even those off of sudoers list, to gain root access. It has been patched in the latest release of sudo.

    “Any user – even the lowest of the low privileged – can access root,” said Mehul Revankar, vice president of product management and engineering at Qualys.

    Though other Sudo vulnerabilities have been found in the past, it’s rare that a bug affects any account, rather than accounts meeting specific conditions.

    “We expect millions of systems to be affected,” said Revankar.

Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux...

  • Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux Gives Attackers Free Root-Level Access

    A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users.

    As reported by ZDNet, a major vulnerability was discovered two weeks ago that impacts the Linux ecosystem tremendously. Today, the problem has been patched by an app called Sudo which permits admins in Linux to consign limited root access for other users. It was fixed with the release of the Sudo v1.9.5p2.

    [...]

    Thankfully, Sudo has already fixed this problem for the Linux ecosystem. It can be found in sudo 1.9.5p2. Sudo added that if users want to check if their version of Sudo is vulnerable, they can key in the following commands to check:

    sudoedit -s '\' 'perl -e 'print "A" x 65536''

    Ideally, you should receive a usage or error message. This indicated that your version of Sudo is not vulnerable. On the other hand, if the result that arises is a Segmentation for, then you can expect that your Sudo version is indeed vulnerable.

    Sudo's update should be applied as early as possible to prevent malicious acts by attackers. If you need to know more technical information about checking your Sudo status, you can check The Qualys advisory.

Three more pieces

  • Bug in Linux sudo command could give any user root access

    Researchers from Qualys have disclosed a vulnerability in the sudo utility that could be exploited to grant system administrator privileges to any user that is logged into a system.

    Dubbed Baron Samedit (CVE-2021-3156), Qualys recommended that users apply patches for the vulnerability immediately.

    The developers of sudo were informed about the security flaw on 13 January and the bug was patched on 19 January — a week before it was publicly disclosed.

    Sudo is a widely used program in Unix-like operating systems. Qualys confirmed that the Baron Samedit bug was present in Linux distributions such as Ubuntu, Debian, and Fedora.

  • Weekly threat roundup: Apple, SonicWall, Linux Sudo

    A significant vulnerability in the Linux Sudo command could inadvertently grant unauthorised users root access to a system, even if the account isn’t listed as an authorised account.

    Sudo allows administrators to delegate limited root access to regular users, but the vulnerability tagged CVE-2021-3156 can be exploited by an unprivileged user to gain root privileges on a vulnerable host.

    The flaw has been hiding in plain sight for nearly a decade having been introduced in July 2011, according to Qualys security researchers. Multiple versions of Sudo are therefore likely to be affected, including legacy versions 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1.

  • Decade-Old Sudo Flaw Discovered

    A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.

    Sudo is the venerable tool that allows standard users to run admin tasks on Linux distributions. Without sudo, users would have to log into the system as the root user (or change to the root user with the su command), in order to run admin commands. Seeing as how that is looked upon as a security risk, sudo has become a required tool for many Linux admins and users.

    However, it has been discovered (by researchers at Qualys) that, for nearly a decade, sudo contained a heap-based buffer overflow vulnerability. This bug could allow any unprivileged user to gain root privileges using the default sudo configuration.

Sudo Vulnerability Discovered

Researchers: Beware of 10-Year-Old Linux Vulnerability

  • Researchers: Beware of 10-Year-Old Linux Vulnerability

    The vulnerability, called "Baron Samedit" by the researchers and officially tracked as CVE-2021-3156, is a heap-based buffer overflow in the Sudo utility, which is found in most Unix and Linux operating systems.

    Sudo is a utility included in open-source operating systems that enables users to run programs with the security privileges of another user, which would them give them administrative – or superuser - privileges.

    The bug, which appears to have been added into the Sudo source code in July 2011, was not detected until earlier this month, Qualys says.

    "Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploits and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable," the researchers say.

This Week In Security: Sudo, Database Breaches, And Ransomware

  • This Week In Security: Sudo, Database Breaches, And Ransomware

    Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

    sudoedit -s '\' `perl -e 'print "A" x 65536'`

Linux sudo exploit gives root access

  • Linux sudo exploit gives root access

    Researchers have found a buffer overflow vulnerability in the Linux sudo program that means an ordinary user could give themselves root privileges.

    The Sudo command lets users act at higher security privilege levels – either as a superuser or some other user profile – so they can perform certain tasks without having full root access.

"Linux Flaw"

  • The Linux Flaw you can't afford to Ignore (CVE-2021-3156) [Ed: It is not a "Linux flaw" but a sudo flaw and it affects systems that are not Linux]

    Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

  • How To Install VirtualBox on Manjaro 20 - idroot

    In this tutorial, we will show you how to install VirtualBox on Manjaro 20. For those of you who didn’t know, VirtualBox is open-source cross-platform virtualization software for x86 architecture and this software allows you to create and run guest operating systems (“virtual machines”) such as Linux and Windows on top of the host operating system. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of VirtualBox on a Manjaro 20 (Nibia).

  • How to Install and Configure Nagios in Ubuntu Linux

    Nagios is a robust continuous and real-time monitoring tool to monitor your organizations and servers. Nagios can be installed on Ubuntu Linux desktop and server system for both manual and automatic monitoring. If you have a company that runs server-level operations, you probably need continuous integration (CI) and continuous delivery (CD) tools to make your production rate faster and better. Nagios can help you to grow your company by providing better analysis. However, if you have a software production company, you can look at the Jenkins server features. Jenkins and Nagios both can be used in Linux through a plugin arrangement.

  • Linux Filesystem Error: Transaction failed when using LXD - nixCraft

    I am a big fan of LXD, a next-generation Linux system container manager and default on Ubuntu. It allows me to run desktop apps or server apps in an isolated environment. Ubuntu provides LXD with robust security in mind. However, this might lead to undesired side effects, such as individual packages under OpenSUSE or CentOS Linux may not be updated. One such package is the filesystem package. Let us see how to fix Error: Transaction failed when you try to update filesystem package under CentOS, OpenSUSE, and other Linux containers running under LXD.

  • Creating Text | Inkscape

    This is the fourth of Inkscape For Students the series after we learned about Fonts before, now we will learn how to create text. When doing design with computer, you will find text is an important part -- you will earn so much by just learning text alone. This is why this series invite you to practice firstly with text before shapes and colors. Now let's learn and practice!

  • Making 12factor Elixir/Phoenix releases

    Elixir had a bad reputation for its deployment story due to the complex tooling and compile-time configuration preference. That is history now as we can easily make Elixir v1.11 releases with the runtime configuration to adhere to the 12factor style of deployment. If you don’t know what 12factor is, it’s a document made at Heroku with recommendations how to design your applications. Although the purpose was most likely about stirring people into making applications that would run smoothly on the Heroku platform, it’s a quite sensible set of recommendations. I don’t think you have to adhere to 12factor at all costs, but some points make sense. This post is namely about section III., which recommends storing configuration in an environment. Something a bit problematic in Elixir before, but something I always wanted. Sections on dependencies and logs are also relevant, while sections on stateless processes and concurrency might not apply to us as Beam has its own lightweight stateful processes. However, you can decide to keep Elixir nodes stateless and use something like Redis.

  • How to Use Scanline Sync and Cap FPS In RivaTuner - Make Tech Easier

    While RivaTuner Statistics Server (RTSS) is most well-known for being bundled with MSI Afterburner and used for monitoring and overclocking GPUs, RTSS actually has some use separate from Afterburner. Here, we discuss those functions and teach you how to use them to cap your FPS (frame per second) or enable Scanline Sync. [...] FPS in this context refers to Frames Per Second, and on PCs where you have an FPS exceeding your refresh rate (such as 100 FPS on a 60 HZ panel), you’re much more prone to screen tearing and highly-variable FPS. Both of these can be visually disorienting and a competitive disadvantage, but the seemingly only way to fix it in most games is to enable some form of V-Sync, which is much more visually consistent but adds a lot more input latency. Using an FPS cap, you can set your in-game framerate to just at or just under your screen refresh rate. If the game you’re playing offers an FPS cap, chances are high that you’ll want to use that cap instead of RivaTuner’s, but if you want to learn how to use RivaTuner’s for universal application, keep reading.

Today in Techrights

today's leftovers

  • openSUSE Tumbleweed – Review of the week 2021/09

    This week has proven to be challenging for Tumbleweed. We have built and tested 6 snapshots, and only 2 of them were of sufficient quality to send out to the users. Of course, that means our QA infrastructure is well suited in protecting you, the users, from running into trouble – and that is the best thing we can show with this.

  • Yet Another Me - A debuginfod service for Debian

    This last Tuesday, February 23, 2021, I made an announcement at debian-devel-announce about a new service that I configured for Debian: a debuginfod server. This post serves two purposed: pay the promise I made to Jonathan Carter that I would write a blog post about the service, and go into a bit more detail about it. [...] You can find more information about our debuginfod service here. Try to keep an eye on the page as it's being constantly updated. If you'd like to get in touch with me, my email is my domain at debian dot org. I sincerely believe that this service is a step in the right direction, and hope that it can be useful to you :-).

  • Raspberry Pi thermal camera
  • Librem 5 News Summary: February 2021

    February was a month of strong and steady progress behind the scenes from operational improvements to a lot more code written and released. Each week we ship an increasing number of Librem 5s out to backers. We also continue to work to locate and expedite more i.MX 8M CPU supply for future Librem 5s—the industry has an overall shortage of components—and as we get firm dates for those secured CPU supplies we intend on sending out shipping estimates to Librem 5 backers. We have also made progress on the Librem 5 hardware support side. Last month we announced we had finished support for the OpenPGP smart card reader and this month we released a blog post and video that describes how to enable it on existing Librem 5s. We have also made a lot of advancements on camera support and have successfully taken some initial pictures. There is still more work to do to complete the camera driver and get the most out of the camera hardware and we hope to have more announcements on that front soon. Speaking of the kernel we also published a post that describes in detail the work we have done in the 5.11 kernel including progress on mainline support for the Librem 5 as well as improvements in power management and overall support for the Librem 5 hardware. On the Librem 5 USA front, it has taken much longer than we have expected to locate and secure new supply chains for all of the components we will need to start production of the PCBA due to some of the unprecedented issues in the electronics supply chain over the last year. We are happy to announce that we have tracked down almost every component now and are optimistic we can track down the one or two remaining components soon so that we can start production on the PCBA in the coming month. The Librem 5 USA will be manufactured at our facility in the US with our secure supply chain and Made in USA Electronics.

  • Tantek Çelik: One Year Since The #IndieWeb Homebrew Website Club Met In Person And Other Last Times

    March 2021 is the second March in a row where so many of us are still in countries & cities doing our best to avoid getting sick (or worse), slow the spread, and otherwise living very different lives than we did in the before times. Every day here forward will be an anniversary of sorts for an unprecedented event, experience, change, or loss. Or the last time we did something. Rather than ignore them, it’s worth remembering what we had, what we used to do, both appreciating what we have lost (allowing ourselves to mourn), and considering potential upsides of adaptations we have made. A year ago yesterday (2020-03-04) we hosted the last in-person Homebrew Website Club meetups in Nottingham (by Jamie Tanna in a café) and San Francisco (by me at Mozilla). Normally I go into the office on Wednesdays but I had worked from home that morning. I took the bus (#5736) inbound to work in the afternoon, the last time I rode a bus. I setup a laptop on the podium in the main community room to show demos on the displays as usual.

  • Firefox B!tch to Boss extension takes the sting out of hostile comments directed at women online

    A great swathe of the internet is positive, a place where people come together to collaborate on ideas, discuss news and share moments of levity and sorrow, too. But there’s also a dark side, where comments, threads and DMs are peppered with ugly, hostile language designed to intimidate and harass. Women online, especially women who are outspoken in any field — journalism, tech, government, science, and so on — know this all too well. What’s the solution? People being less terrible, obviously. Until we reach that stage of human maturity, the B!tch to Boss extension for Firefox can help by replacing words like “bitch”, often used in derogatory comments and messages directed at women, with the word “boss”.

  • EU Open Data Days

    Participate in the first edition of the EU Open Data Days 2021 from 23-25 November 2021.

today's howtos

  • How to Install CHEF Workstation in RHEL and CentOS 8/7

    Chef is one of the popular configuration management tools, which is used to rapidly automate deployment, configurations, and management of the entire IT infrastructure environment. In the first part of this Chef series, we’ve explained Chef concepts, which consists of three important components: Chef Workstation, Chef Server & Chef Client/Node. In this article, you will learn how to install and test Chef Workstation in RHEL/CentOS 8/7 Linux distributions.

  •  
  • Install Libreoffice 7.1.1 on Ubuntu / LinuxMint / CentOS & Fedora

    This tutorial will be helpful for beginners to install LibreOffice 7.1.1 on Ubuntu 20.04, Ubuntu 18.04, Centos 8, Fedora 33, and LinuxMint 20.1. LibreOffice released the newer version in the 7 series as 7.1.1  and it comes with new features and bug fixes and program enhancements. All users are requested to update to this version as soon as possible.

  •   
  • How to live stream from your Linux desktop | TechRadar

    Live streaming is an increasingly popular medium, enabling you to produce content that’s shared in real time and – if your online provider supports it – available afterwards for those who missed the live show.  If you’re looking to make your next online live stream something special, then take a look at OBS Studio.  Not only can you easily combine multiple video and audio sources into a single stream, OBS Studio provides you with a means of breaking down your stream into specific sections, making it easy to seamlessly switch between different sources and screen setups. Crucially, it works with all the major online streaming providers.

  • Create a Cross-Platform Twitter Clone with Vue.js

    A fun way to learn new programming skills is to create a clone of a popular app. We've released a course that will teach you how to create a Twitter clone using Vue.js, the Quasar framework, and Firebase. Danny Connell, from the Make Apps With Danny channel, created this course. You will learn how to create a beautiful, responsive, cross-platform Twitter app from scratch and get it running and working on 5 different platforms: iOS, Android, Mac, Windows, Web Browser.