Friday 5 February 2021

The Linux Flaw you can't afford to Ignore (CVE-2021-3156)

Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

CVE-2021-3156 sudo Vulnerability
Last week (26th January 2021) a new critical rated Linux\Unix vulnerability was made public under CVE-2021-3156. Specifically, the vulnerability is within the 'sudo' program, which is an abbreviation of 'superuser do', well that's how I remember it. Sudo is a powerful and fundamental program found within all Linux and Unix distributions, allowing users to execute programs with the security privileges of another user. A typical use of sudo is where you need to run a program with privilege level (i.e. administrator) access rights.
The sudo 'heap overflow' vulnerability was discovered by Qualys researchers, the exploit allows any unprivileged user to gain root level (i.e. administrative) privileges.  Qualys has posted a blog and video which explains and demonstrates the exploitation technique, which as exploits go is fairly quick and easy to do. See CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog

Patches are available
Qualys rightly did not publically disclose the vulnerability until the sudo program author was able to write and release a fixed (patched) version of sudo. The fixed sudo version1.9.5p2 has been made available to download at

Linux vendors have also released patches for the sudo vulnerability, including
At the time of writing this post, it has been reported MacOS Big Sur is also vulnerable, but Apple has not released a patch.

The Security Concern
This vulnerability in sudo has been present for nearly 10 years, all sudo versions prior to sudo 1.9.5p2 are to be considered vulnerable. The issue is Linux is embedded everywhere, yet many systems are rarely, and even never updated. From IoT devices to internet-based services, the security of countless devices and web-based services' are dependant upon a secure Lin
ux account privilege model. While their Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, they sit there insecure and waiting to be hacked.

No comments: