Security vulnerability found in sudo: update your system!

A critical security vulnerability that affects a large number of Linux computers was disclosed this past Tuesday, 26 by security auditing firm Qualys. The vulnerability was found in the sudo command, included in most (if not all) Linux distros (including openSUSE and Linux Kamarada), which have already published fixes and advise users to update their systems.

The sudo command line utility allows normal system users to execute commands that normally are allowed to be executed only by the system administrator user, who in Linux is called root or superuser. Hence the name of the sudo command: su “do” (superuser does). The system administrator can grant permissions to certain users (or groups of users) to run some (or all) commands as root (or another user). To grant those permissions, the administrator has to edit the sudo configuration file, which is /etc/sudoers.

The bug found by Qualys has been named “Baron Samedit” and registered in the Common Vulnerabilities and Exposures (CVE) database with the identifier CVE-2021-3156. That vulnerability could be exploited by a malicious normal user (or an attacker who has gained access to a normal user account) to gain root access and take over the vulnerable system, even if that normal user account was not previously authorized in the /etc/sudoers file.

For the technical details behind this bug, please refer to the Qualys report or the following video, which demonstrates a way to exploit the vulnerability to gain root access from a normal user account.

Curiously, although this bug has only been disclosed now, checking the sudo source code it has been identified that the erroneous piece of code was introduced in July 2011 (commit 8255ed69). So, this bug has been (hopefully) unnoticed for nearly 10 years. Fortunately, it has already been fixed.

How can I protect myself from that?

All major Linux distributions have already released security updates with patches that fix this issue. Linux users are advised to update their systems.

The openSUSE Project has released updates for its two distributions: Leap and Tumbleweed. In the case of openSUSE Leap, the current releases (15.1 and 15.2) have received updates.

Since Linux Kamarada is based on openSUSE Leap, Linux Kamarada users are by transitivity openSUSE Leap users and receive the same updates.

If you use one of these Linux distributions:

• openSUSE Leap (or Linux Kamarada) 15.1
• openSUSE Leap (or Linux Kamarada) 15.2
• openSUSE Tumbleweed

You can see how to get updates for your system here:

• How to get updates for openSUSE Linux

Users of older openSUSE Leap releases that have been discontinued and no longer receive updates (e.g. 15.0) were instructed on the openSUSE Users mailing list to download the source code for the sudo package, manually build it and install it. If that is your case, see that mailing list thread for more information.

Another option if you use openSUSE Leap 15.0 is to upgrade to 15.1 and then to 15.2.

Leap 15.1 support is going to end this month, so 15.1 users are advised to upgrade as well.

If you need instructions on how to upgrade, take a look at:

• How to upgrade from openSUSE Leap 15.0 to 15.1
• Linux Kamarada and openSUSE Leap: how to upgrade from 15.1 to 15.2

How can I know whether I am vulnerable?

The sudo developers also issued an alert with information about the bug. They suggested a simple test to determine whether your version of sudo is vulnerable.

Just open a terminal window and run the following command:

1
$ sudoedit -s '\' `perl -e 'print "A" x 65536'`

Before applying the fix, that command results in a segmentation fault, sudo is vulnerable.

After applying the fix, you should receive a usage or error message, sudo is not vulnerable.

In my tests, after updating, the error message that appeared was:

1
2
sudoedit: invalid mode flags from sudo front end: 0x20002
sudoedit: unable to initialize policy plugin

openSUSE and Linux Kamarada are distributions that use the RPM package format, so you can also check the sudo package changelog. If you have the latest update installed, the new CVE should appear, as in the following example:

1
2
3
4
$ rpm -q --changelog sudo | head
* Sat Jan 23 2021 Simon Lees <sflees@suse.de>
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch

References

If you want to know more about the sudo CVE-2021-3156 (“Baron Samedit”) bug, you can take a look at the texts I consulted to write this one:

• About the vulnerability in general:
  • CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) - Qualys Security Blog
  • Decade-old bug in Linux world’s sudo can be abused by any logged-in user to gain root privileges - The Register
  • 10-year-old Sudo bug lets Linux users gain root-level access - ZDNet
  • Buffer overflow in command line unescaping - sudo
• Specific information for openSUSE:
  • sudo **BUG** (Mother of All sudo BUGS) – rebuild if you are using old release - openSUSE Users - openSUSE Mailing Lists
  • CVE-2021-3156 (sudo) vs Leap 15.1 - openSUSE Factory - openSUSE Mailing Lists
  • CVE-2021-3156 - SUSE
  • Bug 1181090 – VUL-0: CVE-2021-3156: sudo: Heap-based buffer overflow in Sudo "Baron Samedit" - SUSE Bugzilla