{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-007.pdf"
    },
    "title": "UPDATE: Sudo Heap-based Buffer Overflow",
    "serial_number": "2021-007",
    "publish_date": "02-02-2021 10:46:00",
    "description": "On the 26th of January 2021, Sudo in coordination with Qualys released a security advisory regarding a vulnerability in Sudo allowing any local user on Unix-based system to execute code as root without authentication (privilege escalation).<br>The vulnerability is exploitable via \"sudoedit -s\" commands on most systems and several proof-of-concepts were published by security researchers.<br>The potential impact of this vulnerability is high, as an attacker with a low privilege access to any Unix-based system can easily elevate its privileges to completely own the system.",
    "url_title": "2021-007",
    "content_markdown": "---\ntitle: 'Sudo Heap-based Buffer Overflow'\nversion: '1.1'\nnumber: '2021-007'\ndate: 'February 4, 2021'\n---\n\n_History:_\n\n* _02/02/2021 --- v1.0 -- Initial publication_\n* _04/02/2021 --- v1.1 -- Corrected error in testing command_\n\n# Summary\n\nOn the 26th of January 2021, Sudo [1] in coordination with Qualys released a security advisory [2, 3] regarding a vulnerability in Sudo allowing any local user on Unix-based system to execute code as root without authentication (privilege escalation).\n\nThe vulnerability is exploitable via `sudoedit -s` commands on most systems and several proof-of-concepts were published by security researchers [8].\n\nThe potential impact of this vulnerability is high, as an attacker with a low privilege access to any Unix-based system can easily elevate its privileges to completely own the system.\n\n# Technical Details\n\nThe vulnerability was assigned CVE-2021-3156 [7].\n\nThe vulnerability is due to a Heap-Based Buffer Overflow when sudo is executed to run in shell mode through the `-s` or `-i` option.\n\nNormally, sudo escapes special characters when running a command via a shell. However, it is possible to run `sudoedit` with the `-s` or `-i` option in which case no escaping is actually done, making the exploitation of the vulnerability possible.\n\n*Qualys* security advisory provide a more detailed run-through of the vulnerability [2].\n\n# Affected Products\n\nThe following versions of sudo are vulnerable:\n\n * All legacy versions from 1.8.2 to 1.8.31p2\n * All stable versions from 1.9.0 to 1.9.5p1\n\nAll major Linux distribution published security advisories for the vulnerability, as provided on Qualys blog post [3].\n\nSeveral network devices are based on Unix and are affected by the vulnerability:\n\n * Cisco products [4]\n * NetApp products [5]\n * F5 products [6]\n * ...\n\n# Recommendations\n\nUpdate all servers and devices based on Unix systems to the latest version.\n\nIt is possible to test if sudo is vulnerable to CVE-2021-3156 by running one of the following commands (*python*, *perl*, *bash*):\n\n          sudoedit -s '\\' $(perl -e 'print \"X\" x 65535')\n          sudoedit -s '\\' $(python -c 'print(\"X\"*65535)')\n          sudoedit -s '\\' $(printf \"%0.sX\" {1..65535})\n\nIf `sudoedit` crashes with an error, the system is vulnerable to CVE-2021-3156. For example:\n\n * On Arch Linux systems: `malloc(): corrupted top size`\n * On Ubuntu systems: `Segmentation fault (core dumped)`\n\n# References\n\n[1] <https://www.sudo.ws/stable.html#1.9.5p2>\n\n[2] <https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt>\n\n[3] <https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit>\n\n[4] <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM>\n\n[5] <https://security.netapp.com/advisory/ntap-20210128-0002/>\n\n[6] <https://support.f5.com/csp/article/K86488846>\n\n[7] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156>\n\n[8] <https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156>\n\n[9] <https://github.com/reverse-ex/CVE-2021-3156>\n\n[10] <https://github.com/blasty/CVE-2021-3156>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>02/02/2021 --- v1.0 -- Initial publication</em></li><li><em>04/02/2021 --- v1.1 -- Corrected error in testing command</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 26th of January 2021, Sudo [1] in coordination with Qualys released a security advisory [2, 3] regarding a vulnerability in Sudo allowing any local user on Unix-based system to execute code as root without authentication (privilege escalation).</p><p>The vulnerability is exploitable via <code>sudoedit -s</code> commands on most systems and several proof-of-concepts were published by security researchers [8].</p><p>The potential impact of this vulnerability is high, as an attacker with a low privilege access to any Unix-based system can easily elevate its privileges to completely own the system.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability was assigned CVE-2021-3156 [7].</p><p>The vulnerability is due to a Heap-Based Buffer Overflow when sudo is executed to run in shell mode through the <code>-s</code> or <code>-i</code> option.</p><p>Normally, sudo escapes special characters when running a command via a shell. However, it is possible to run <code>sudoedit</code> with the <code>-s</code> or <code>-i</code> option in which case no escaping is actually done, making the exploitation of the vulnerability possible.</p><p><em>Qualys</em> security advisory provide a more detailed run-through of the vulnerability [2].</p><h2 id=\"affected-products\">Affected Products</h2><p>The following versions of sudo are vulnerable:</p><ul><li>All legacy versions from 1.8.2 to 1.8.31p2</li><li>All stable versions from 1.9.0 to 1.9.5p1</li></ul><p>All major Linux distribution published security advisories for the vulnerability, as provided on Qualys blog post [3].</p><p>Several network devices are based on Unix and are affected by the vulnerability:</p><ul><li>Cisco products [4]</li><li>NetApp products [5]</li><li>F5 products [6]</li><li>...</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Update all servers and devices based on Unix systems to the latest version.</p><p>It is possible to test if sudo is vulnerable to CVE-2021-3156 by running one of the following commands (<em>python</em>, <em>perl</em>, <em>bash</em>):</p><pre><code>sudoedit -s '\\' $(perl -e 'print \"X\" x 65535')\n      sudoedit -s '\\' $(python -c 'print(\"X\"*65535)')\n      sudoedit -s '\\' $(printf \"%0.sX\" {1..65535})\n</code></pre><p>If <code>sudoedit</code> crashes with an error, the system is vulnerable to CVE-2021-3156. For example:</p><ul><li>On Arch Linux systems: <code>malloc(): corrupted top size</code></li><li>On Ubuntu systems: <code>Segmentation fault (core dumped)</code></li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.sudo.ws/stable.html#1.9.5p2\">https://www.sudo.ws/stable.html#1.9.5p2</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt\">https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit\">https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://security.netapp.com/advisory/ntap-20210128-0002/\">https://security.netapp.com/advisory/ntap-20210128-0002/</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.f5.com/csp/article/K86488846\">https://support.f5.com/csp/article/K86488846</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156</a></p><p>[8] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156\">https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156</a></p><p>[9] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/reverse-ex/CVE-2021-3156\">https://github.com/reverse-ex/CVE-2021-3156</a></p><p>[10] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/blasty/CVE-2021-3156\">https://github.com/blasty/CVE-2021-3156</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}