A newly discovered high severity vulnerability (CVE-2021-3156) in the sudo package allows privilege escalation from any user to root without any authentication. The package sudo is a near universal utility across Linux distributions and flavors that manages local user privileges. Therefore, this vulnerability presents a major and immediate risk. The affected versions are all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
With an estimated 90% of cloud workloads running Linux based OS, with sudo being common across distributions, many Linux cloud assets are at risk and may be affected. Versions released as far back as 2011 are affected by this vulnerability.
Affected versions of sudo:
- All legacy versions from 1.8.2 to 1.8.31p2
- All stable versions from 1.9.0 to 1.9.5p1
What is not Affected:
- All versions before 1.8.2
- Patched version 1.9.5p2
Test for the vulnerability yourself:
To test if a system is vulnerable or not follow these steps:
- login to the system as a non-root user
- Run command “sudoedit -s /”
- If the system is vulnerable, it will respond with an error that starts with “sudoedit:”
- If the system is patched, it will respond with an error that starts with “usage:”
About the vulnerability
When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode.
A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.
We’re here to help
Wiz can be deployed in minutes across cloud environments at any scale, and instantly perform a full-stack cloud scan to identify all vulnerable Linux instances.
Wiz empowers security teams to respond rapidly to the threat, and focus on the resources with the highest risk first.
To gain instant assessment of your cloud environment for this vulnerability, Get Wiz up and running and our cloud security experts will assist to understand the impact!