Step By Step Procedure To Fix The New Sudo Vulnerability (CVE-2021-3156)

You might have recently read about a new heap overflow vulnerability (CVE-2021–3156) on Sudo discovered by a team of security researchers from Qualys. This article covers not just information about vulnerability. It covers how to find the vulnerable host and how to fix the new sudo vulnerability found on a vulnerable host.

What Is Sudo?

I am afraid if someone doesn’t know about sudo. Sudo is the most powerful, open-source, ubiquitous utility used in all non-windows platforms like Unix, Linux, Solaris, and Mac. sudo allows users to run the programs with another user’s security privileges, by default ‘superuser’.

About the New Heap Overflow Sudo Vulnerability (Cve-2021–3156):

This vulnerability allows an unprivileged user to gain root privileges without authentication after successfully exploiting the vulnerable host. Qualys research team reported that they have succeeded in obtaining complete root privileges by exploiting the vulnerability on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). On the latest note, they also confirmed that the vulnerability is prone to macOS, AIX, and Solaris as well. Quays confirmed that they have developed multiple variants of exploits and testthem ed independently on each one of those operating systems. You can see the Proof of Concept and other technical details on the Qualys website if you need to know how to find the vulnerability on a host and patch it. Please follow us on this article and read below two sections to know how to find and fix the new sudo vulnerability.

Further to say, This vulnerability has been registered in mitre on 26th Jan 2020. It has been assigned CVE-2021–3156 in the Common Vulnerabilities and Exposures database. sudo confirmed that this vulnerability affected to sudo versions 1.7.7 to 1.7.10p9, 1.8.2 to 1.8.31p2, and 1.9.0 to 1.9.5p1.

Technical Details of the New Sudo Vulnerability (Cve-2021–3156):

Todd C. Miller, a sudo maintainer, said “When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode. A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command-line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”

How to Find the New Sudo Vulnerability (Cve-2021–3156) On the Host?

Check your host is running one of these affected Sudo versions:

Use this command to check the version of Sudo your host is running: 

$ Sudo — version

In our case, our host is having 1.8.31, which is the vulnerable version.

This image is captured by the author

Suppose you want to confirm your sudo version is vulnerable to this flaw. Try this command:

$ sudoedit -s /

If your host is running a vulnerable version of sudo. You will see this on your terminal.

sudoedit: /: not a regular file

If your host is running a patched version of sudo. You will see this on your terminal. 

usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file …

Let’s try this method on our host and find out whether our host is running a vulnerable version.

As soon as we enter the command, we have prompted to enter a password.

If the sudoers plugin has been patched but the Sudo front-end has not, the following error will be displayed :

Sudoedit: invalid mode flags from Sudo front end: 0x20002

Patching either the Sudo front-end or the sudoers plugin is sufficient to prevent exploitation, but applying the complete patch is the safest approach.

How to Fix the New Sudo Vulnerability (Cve-2021-3156) On the Host?

Time needed: 10 minutes.

Commands required to fix the new Sudo vulnerability (CVE-2021-3156)

Sudo.ws has fixed this vulnerability in the newly released versions: Sudo 1.9.5p2, released on 26 Jan 2021.

Download the patched sudo 1.9.5p2 version from the site using the wget utility.

$ wget https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz

This image is captured by the author

Since it is a compressed file use the tar utility to extract it.

$ tar xvzf sudo-1.9.5p2.tar.gzAfter extracting it.

A directory gets created ‘ sudo-1.9.5p2’.

This image is captured by the author