The Qualys Research Team has discovered a heap overflow vulnerability in SUDO app. The vulnerability, which received a CVE-2021-3156 identifier and is known as "Baron Samedit," was found two weeks ago and patched early this week under the release Sudo v1.9.5p2.
SUDO is a powerful utility that allows users to run programs with the security privileges of another user. It is included in most if not all Unix- and Linux-based OSes.
Qualys researchers discovered that a Heap Overflow could be triggered in the SUDO app to escalate privileges granting the attacker access to the whole system. This vulnerability allows attackers to gain access even if the account is not listed in /etc/sudoers, a config file that controls users' access to "su" or "sudo" commands.
Having access to the system is the only "requirement" to exploit the "Baron Samedit" vulnerability, which can be quickly done with an attack vector. Researchers said planting malware on a device or brute-forcing a low-privileged service account could be enough for an unprivileged user to gain root privileges on a vulnerable host using a default Sudo configuration exploiting this vulnerability.
Qualys security researchers were able to identify and verify the vulnerability in at least 3 Linux versions Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).
Although it seems only related to Linux distributions earlier this week, a British security researcher has discovered that it also impacts the macOS operating system. Matthew Hickey, the co-founder of Hacker House, said that he tested the CVE-2021-3156 vulnerability and found that the security bug could be used to grant attackers access with a few modifications to macOS root accounts as well.
"To trigger it, you just have to overwrite argv or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so," Hickey told ZDNet. His findings were also privately and independently verified and confirmed to ZDNet and notified to Apple, which declined to comment on the report.