Aqua Blog

CVE-2021-3156 sudo Vulnerability Allows Root Privileges

CVE-2021-3156 sudo Vulnerability Allows Root Privileges

A new severe vulnerability was found in Unix and Linux operating systems that allows an unprivileged user to exploit this vulnerability using sudo, causing a heap overflow to elevate privileges to root without authentication, or even get listed in the sudoers file. In this blog, I’ll go over how this CVE can be exploited, what sudo versions are affected, and how to mitigate the issue.

Technical review

Normally, sudo allows users to run programs with the security privileges of another user (the root user is set by default). The user must provide their own password for authentication. After authentication, if the configuration file permits the user access, the user will be allowed to use the other user’s privileges.
When running a sudo command in shell mode with the flags -s or -i (sudo -s, run shell as the target user or sudo -i, run login shell as the target user), it will expect two backslashes ‘\’ to mark the first character.

sudo -s '\' `perl -e 'print "A" x 65536'`

Once received this command, the sudoers policy plugin will remove the escape characters. When running this command only with one backslash ‘’, it will be harmless since it will exit with an error.

Sudoedit is a built-in command that allows users to securely edit files. In this new vulnerability, Qualys researchers discovered that when running sudoedit with the flags -s or -i, the command will not result in an exit with an error, and the sudoers policy plugin will not remove the escape characters, resulting instead in reading beyond the last character of a string if it ends with an un-escaped backslash character.

sudoedit -s '' `perl -e 'print "A" x 65536'`

This may allow attackers to exploit this vulnerability in order to run random code, which in turn leads to running a command with root privilege without authentication, or to being listed in the sudoers file.
This vulnerability also applies when running a non-privileged container.

The oldest vulnerable sudo version was first committed in 2011 and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.

How to check if you are affected

The sudo project released a command that allows you to test whether your version of sudo is vulnerable:

sudoedit -s '' `perl -e 'print "A" x 65536'`

If you receive a usage or error message, sudo is not vulnerable. If the result is a Segmentation fault, sudo is vulnerable. As you can see below:

How to check if you are affected

Mitigation and remediation

In the Aqua console, you can use our runtime policy in order to block the execution of sudoedit:

  1. Navigate to Policies → Runtime PoliciesRuntime Policies
  2. Search for ‘Aqua default runtime policy’ and choose this option.

Aqua default runtime policy

  1. Choose Executables Blocked and the executable you wish to block and save.
    Image 4

Furthermore, you can use our Aqua host runtime policy to block the execution of sudoedit on your VMs, for instance:

  1. Navigate to Policies → Runtime Policies
    Image 2 and 5
  2. Search for ‘Aqua default host runtime policy’ and choose this option.

Image 6

  1. Choose the ‘File Block’ option.

File Block

  1. Type the name of the binary you wish to block (sudoedit in our case) and save.

sudoedit

In addition, if you’re able to upgrade your OS images, sudo project released a fixed version, as well as the major operating systems Debian, Fedora, Ubuntu and RedHat have provided patches.

Assaf Morag
Assaf is a Lead Data Analyst at Aqua Nautilus research team, he focuses on supporting the data needs of the team, obtaining threat intelligence and helping Aqua and the industry stay at the forefront of new threats and methodologies for protection. His work has been published in leading info security publications and journals across the globe, and most recently he contributed to the new MITRE ATT&CK Container Framework.