The recently revealed significant security vulnerability in the Sudo utility also affects Apple’s macOS Big Sur operating system and several Cisco devices.
Tracked as CVE-2021-3156 and referred to as Baron Samedit, the concern is a buffer overflow dependent on a heap that can be abused to obtain root rights on the insecure host by unprivileged users.
The user wants to leverage “sudoedit -s” along with a command-line statement ending with a single backslash character for privilege escalation to root.
In Sudo 1.9.5p2, the vulnerability was patched.
Researchers at the cybersecurity company Qualys, who found the flaw, only checked it on some Linux distributions, such as Debian, Fedora, and Ubuntu, but cautioned that the weakness is likely to impact most Unix and Linux dependent systems. Start qualys freescan download to check vulnerablity
Apple’s MacOS Big Sur is one of the affected operating systems, according to Hacker House co-founder Matthew Hickey.
CVE-2021-3156 also affects @apple MacOS Big Sur (currently unpatched), by symlinking sudo to sudoedit and then activating the heap overflow to increase one’s privileges to 1337 uid=0,” he said on Twitter, “you may enable exploitation of the issue.
CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxE
— Hacker Fantastic 📡 (@hackerfantastic) February 2, 2021
Will Dormann, a researcher with the CERT Coordination Center of Carnegie Mellon University, has reported that macOS Big Sur is still vulnerable in response to Hickey.
Can confirm with macOS Big Sur on both x86_64 and aarch64. pic.twitter.com/nQqQ8rskv7
— Will Dormann (@wdormann) February 2, 2021
This week, Apple launched patches for more than 60 macOS Big Sur, Catalina, and Mojave vulnerabilities, but none of them fix the Sudo issue.
Cisco confirms that it is presently reviewing which of its products are impacted by the Baron Samedit vulnerability in an advisory released last week but revised twice since. Many goods are not contaminated and others are also under review, although it has been reported that some have been affected.
In specific, the problem affects Firepower Threat Protection (FTD), Prime Partnership Provisioning, Virtual Appliance Prime Service Catalog, On-Prem Smart Software Manager, switches of the Nexus 3000 series, switches of the Nexus 9000 series in standalone NX-OS mode, and Paging Server (InformaCast).
By accessing a Unix shell on an infected system and then invoking the sudoedit command with designed parameters or running a binary exploit, an attacker may exploit this vulnerability. A effective exploit may cause the attacker to execute root privileged commands or binaries,” the company explains.
To date, there are no signs that in live attacks, the Sudo flaw is being abused, but users are urged to submit patches for it as soon as their goods become usable.